Policies Overview

Policies let you define custom rules to allow or block egress traffic, overriding auto-baseline.

What Are Policies?

Policies are YAML configurations that specify:

Allow rules: Domains/IPs that should never trigger Issues (even if not in baseline)
Block rules: Domains/IPs that should always be blocked (even if in baseline)
Scope: Which micro-contexts the policy applies to

Use Cases

Corporate Allowlist

Whitelist internal domains that should always be accessible.

Supply Chain Hardening

Block known-bad registries or malicious domains.

Compliance

Enforce egress restrictions (e.g., only allow approved SaaS vendors).

Zero Trust Egress

Define “known-good” list and block everything else.

Policy Types

Allow Policies

Domains/IPs that will never trigger Issues, even if not in baseline. Example:

name: "Corporate allowlist"
type: allow
rules:
  - pattern: "*.corp.example.com"
  - pattern: "registry.npmjs.org"
  - pattern: "github.com"

Result: Connections to these domains are always allowed.

Block Policies

Domains/IPs that will always be blocked, even if in baseline. Example:

name: "Block known-bad registries"
type: block
rules:
  - pattern: "malicious-npm-mirror.com"
  - pattern: "192.0.2.*"  # Example bad IP range

Result: Connections to these domains/IPs are always blocked and trigger Critical Issues.

Policy Scope

Policies can apply to:

All Agents
GitHub Actions Only
Specific Workflows
Kubernetes Only

name: "Global allowlist"
scope: global
type: allow
rules:
  - pattern: "*.github.com"

Applies to all GitHub Actions and Kubernetes agents.

Pattern Matching

Policies support flexible pattern matching:

Pattern	Matches	Example
`example.com`	Exact domain	`example.com` only
`*.example.com`	Subdomain wildcard	`api.example.com`, `cdn.example.com`
`**.example.com`	All subdomains (recursive)	`deep.nested.example.com`
`192.0.2.0/24`	CIDR range	`192.0.2.1` - `192.0.2.254`
`192.0.2.*`	IP wildcard	`192.0.2.1` - `192.0.2.255`

Creating Policies

Via Dashboard

Navigate to Policies

Dashboard → Policies → Create Policy

Configure Policy

Name: e.g., “Corporate Allowlist”
Type: Allow or Block
Scope: Global, GitHub Actions, or Kubernetes
Rules: Add domain/IP patterns

Test Policy

Use Test Mode to validate without applying.

Apply Policy

Click Save & Apply. Changes take effect within 60 seconds.

Via YAML

Create policy.yaml:

name: "Production allowlist"
type: allow
scope:
  platform: kubernetes
  cluster: "production"
rules:
  - pattern: "*.corp.example.com"
    comment: "Internal services"
  - pattern: "api.stripe.com"
    comment: "Payment processing"
  - pattern: "*.amazonaws.com"
    comment: "AWS services"

Apply via API (see Policy Schema):

curl -X POST https://api.garnet.ai/v1/policies \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/yaml" \
  --data-binary @policy.yaml

Policy Precedence

When multiple policies overlap, Garnet applies them in this order:

Block policies (highest priority)
Allow policies
Auto-baseline

Example:

# Policy 1: Allow all npm
- name: "Allow npm"
  type: allow
  rules:
    - pattern: "*.npmjs.org"

# Policy 2: Block specific malicious mirror
- name: "Block bad mirror"
  type: block
  rules:
    - pattern: "malicious.npmjs.org"

Result: malicious.npmjs.org is blocked (block takes precedence).

Testing Policies

Before applying to production, test policies in Test Mode:

Enable Test Mode

Dashboard → Policy → Test Mode toggle

Simulate Traffic

Trigger your workload (GitHub Actions workflow or K8s pod).

Review Results

Dashboard shows what would have been allowed/blocked (without actually blocking).

Apply Policy

Once validated, disable Test Mode and apply the policy.

Example: Zero Trust Egress

Goal: Only allow known-good domains; block everything else.

name: "Zero trust egress - production"
scope:
  platform: kubernetes
  cluster: "production"
type: allow
rules:
  # Internal services
  - pattern: "*.internal.corp"

  # Approved SaaS vendors
  - pattern: "api.stripe.com"
  - pattern: "api.twilio.com"

  # Cloud providers
  - pattern: "*.amazonaws.com"
  - pattern: "*.cloudflare.com"

  # Monitoring
  - pattern: "api.datadoghq.com"

Important: Also set baseline mode to “strict” (Dashboard → Settings → Baselining):

baseline_mode: strict  # Only allow domains in baseline OR policy

Result: Any domain not in this policy or the baseline is blocked.

Policy Metrics

Dashboard → Policies shows:

Metric	Description
Rules	Number of allow/block patterns
Matches (24h)	Connections affected by this policy
Blocks (24h)	Connections blocked by this policy
Last Updated	When policy was last modified

Overview

Quickstart

Install

Concepts

Policies

Operate

Reference

Policies Overview

Policies Overview

What Are Policies?

Use Cases

Corporate Allowlist

Supply Chain Hardening

Compliance

Zero Trust Egress

Policy Types

Allow Policies

Block Policies

Policy Scope

Pattern Matching

Creating Policies

Via Dashboard

Via YAML

Policy Precedence

Testing Policies

Example: Zero Trust Egress

Policy Metrics

Next Steps

Policy Examples

Policy Schema

Overview

Quickstart

Install

Concepts

Policies

Operate

Reference

​Policies Overview

​What Are Policies?

​Use Cases

Corporate Allowlist

Supply Chain Hardening

Compliance

Zero Trust Egress

​Policy Types

​Allow Policies

​Block Policies

​Policy Scope

​Pattern Matching

​Creating Policies

​Via Dashboard

​Via YAML

​Policy Precedence

​Testing Policies

​Example: Zero Trust Egress

​Policy Metrics

​Next Steps

Policy Examples

Policy Schema

Policies Overview

What Are Policies?

Use Cases

Policy Types

Allow Policies

Block Policies

Policy Scope

Pattern Matching

Creating Policies

Via Dashboard

Via YAML

Policy Precedence

Testing Policies

Example: Zero Trust Egress

Policy Metrics

Next Steps