Policy file reference
Policyglass policies are YAML documents.
Schema
version: 1
required_paths:
- README.md
forbidden_globs:
- '*.pem'
ignore_globs:
- '.git/'
size_limits:
- glob: 'dist/*.whl'
max_bytes: 10000000
forbidden_content_patterns:
- pattern: 'AKIA[0-9A-Z]{16}'
message: 'Possible AWS key'
Fields
version
Positive integer policy version. The current implementation accepts any positive integer and treats 1 as the baseline schema.
required_paths
List of paths that must exist relative to the scan root. Entries can refer to files or directories.
For safety, these entries must stay within the scan root. Absolute paths and paths containing .. are rejected.
forbidden_globs
List of glob patterns that must not match any scanned file path.
ignore_globs
List of path globs excluded from scanning. Directory-style entries ending in / exclude the directory and everything under it.
size_limits
List of objects with:
glob: glob pattern to match file pathsmax_bytes: positive integer upper bound in bytes
A file can match multiple rules. Each violated rule yields a finding.
forbidden_content_patterns
List of objects with:
pattern: Python regular expressionmessage: human-readable explanation shown in findings
Patterns are evaluated against the decoded text content of each scanned file.
Validation behavior
Policyglass rejects malformed policies early, including:
- non-mapping top-level YAML documents
- non-list values where lists are expected
required_pathsentries that try to escape the scan root with absolute paths or..- missing
glob,pattern, ormessagefields - non-positive
max_bytes - invalid regular expressions in
forbidden_content_patterns - invalid or non-positive
version
Design notes
This schema is intentionally conservative. It is easier to extend a small rule language than to stabilize an overly broad one.