Skip to main content
A policy file (a filter suite) is a YAML document of CEL rules that Vet evaluates against every package in a scan. For what policies are and why they matter, see Policy. This page is the syntax reference.
This page documents the --filter-suite format, Vet’s original policy interface. Vet also ships a newer --policy-suite engine that uses a different rule schema; see the Vet repository for its format.

Filter suite format

A filter suite has a name, a description, and an ordered list of filters. Each filter has a name and a value (a CEL expression). A package matches the suite when any filter’s expression evaluates to true. 
name: Enterprise Security Policy
description: Comprehensive security policy for open source components
filters:
  - name: critical-vulnerabilities
    value: |
      vulns.critical.size() > 0
  - name: approved-licenses
    value: |
      !licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause", "ISC"])
  - name: minimum-maintenance
    value: |
      scorecard.scores["Maintained"] < 5
  - name: known-malware
    value: |
      vulns.all.exists(v, v.id.startsWith("MAL-"))
Browse complete, ready-to-use suites in the Vet samples directory.

Applying a filter suite

Pass the suite to vet scan and fail the scan when any package matches: 
vet scan -D /path/to/project \
  --filter-suite /path/to/policy.yml \
  --filter-fail
FlagPurpose
--filter-suite <file>Evaluate packages against the filter suite in <file>.
--filter-failExit non-zero if any package matches, for CI/CD gating.
In CI/CD with vet-action, pass the file via the policy input and set paranoid: true to fail the build on a violation.

Evaluation

Filters are evaluated as an ordered list. Vet stops at the first match per package and reports it as a violation. Order filters from most specific to least specific.

CEL fields

The expression in each filter’s value is written in CEL. These fields are available:
  • pkg - package metadata: pkg.ecosystem, pkg.name, pkg.version
  • vulns.all, vulns.critical, vulns.high, vulns.medium, vulns.low - vulnerability arrays; each item has an id (e.g. vulns.all.exists(v, v.id.startsWith("MAL-")))
  • licenses - array of SPDX license identifiers
  • scorecard.score - aggregate OpenSSF Scorecard score; scorecard.scores["Check-Name"] - per-check score (e.g. "Maintained", "Dangerous-Workflow", "Token-Permissions")
  • projects - source project info (e.g. projects.exists(p, p.type == "GITHUB" && p.stars < 10))
Common operations: size() (array length), exists(item, condition), in (membership), contains() (string contains).

Policy

What policies are and why they matter.

CEL

The expression syntax rules are built from.

Filtering

Query scan results with one-off CEL expressions.

Example Policies

Ready-to-use filter suites in the Vet repository.