Platform · Governance

Security policy, as code.

Write your security bar once. CybeDefend enforces it on every scan, across every team, and stops risky code before it ever reaches production.

Book a demo
One gate

Ship the safe code, stop the rest.

Every pipeline runs through a single policy gate. A critical finding blocks the merge. A lower-risk one warns and lets you ship. You draw the line, CybeDefend holds it.

One security policy gate on every pipelineA commit flows into a single policy gate. A critical finding blocks the merge with exit code 1; a lower-risk finding warns and lets the pipeline continue with exit code 0.commitfeat: refund flowscanner = SASTseverity = CRITICALPOLICYevaluatedMerge blockedexit code 1!Shipped, loggedexit code 0
10 rule types, 8 operators, AND / OR logic. From a raw CVSS threshold to a specific CWE on a protected branch.
Hierarchy

Set the rules once, inherited everywhere.

Your organization baseline flows down to every team and project. Lower levels can only go stricter, never weaker, so a project can never quietly opt out of a company mandate.

Organization, team and project policy hierarchySecurity policies cascade top down. The organization sets a baseline that teams and projects inherit and can only make stricter, never override.INHERITOrganizationHighest priorityTeamInherits organizationProjectStricter only
Policy as code

Versioned in Git, reviewed in a PR.

Policies are plain YAML next to your code. Review a change in a pull request, roll it back with a git revert, and let it evaluate in the background so your scans stay fast.

GitOps native

Every policy change is a reviewable commit, with an author and a timestamp.

Non-blocking

Evaluation runs async, so your pipeline never waits on the gate.

Audit ready

Every violation and exception is logged for SOC 2, ISO 27001 and NIS2.

FAQ

Policy management, in short

What is security policy as code?

Your security requirements live as version-controlled YAML next to your code. CybeDefend evaluates the current policy against every scan across SAST, SCA, secrets, container, IaC and CI/CD, so the rules travel with the repo.

What is the difference between block and warn?

Block stops the pipeline and records the violation. Warn logs it and lets the pipeline continue, which is the safe way to roll out a new rule before you enforce it.

How does the organization, team and project hierarchy work?

Policies cascade top down. The organization sets a baseline that teams and projects inherit and can only make stricter, so a company mandate is never silently overridden.

Does policy evaluation slow down my pipeline?

No. Policies are evaluated asynchronously with a configurable timeout, so scans and deployments never wait on the gate.

Can I make an exception for a file or an accepted risk?

Yes. Each policy supports scoped glob-pattern exclusions with optional expiry dates, and you can mark a finding as accepted risk with a justification. Both leave an audit trail.

Talk to us
Live · just shipped

Install VibeDefend in 5 seconds.

One command wires every coding agent on your machine to CybeDefend: your business rules, your compliance frameworks, and guards that block destructive calls before they fire.

Install in 5 secondsNode 18.17+
npx -y @cybedefend/vibedefend@latest install
Auto-detects
  • Claude CodeClaude Code
  • CursorCursor
  • OpenAI CodexOpenAI Codex
  • WindsurfWindsurf
  • GitHub CopilotVS Code Copilot
Read the README on npm