firmis policy - Policy Engine
Synopsis
Section titled “Synopsis”firmis policy validate <file> [options]firmis policy check [path] [options]Description
Section titled “Description”Every team has security standards. Most of them live in a document nobody reads. firmis policy puts them in code and enforces them in CI.
firmis policy validate checks a policy YAML file for schema correctness, valid condition values, and structural integrity. It does not run a scan. Use it in development to catch mistakes before a policy reaches CI.
firmis policy check runs a full scan and evaluates the results against a policy file. It exits non-zero if any policy rule is violated. This is the CI gate: write what your project must and must not have, wire policy check into your pipeline, and the standard is enforced automatically on every run.
Policy files define conditions such as zero tolerance for specific threat categories, a maximum count of high-severity findings, or a requirement that a particular platform be present and scanned. If no --policy flag is provided, Firmis looks for .firmis/policy.yaml in the project root.
Examples
Section titled “Examples”Validate a policy file before using it in CI
Section titled “Validate a policy file before using it in CI”npx firmis policy validate firmis-policy.yamlRun a policy check against the current directory
Section titled “Run a policy check against the current directory”npx firmis policy check . --policy firmis-policy.yamlPolicy check with JSON output for CI artifact storage
Section titled “Policy check with JSON output for CI artifact storage”npx firmis policy check . --policy firmis-policy.yaml --format jsonScope check to one platform with quiet output
Section titled “Scope check to one platform with quiet output”npx firmis policy check . --policy firmis-policy.yaml --platform mcp --quietValidate silently - exit code only
Section titled “Validate silently - exit code only”npx firmis policy validate firmis-policy.yaml --quietOptions
Section titled “Options”policy validate
Section titled “policy validate”| Flag | Type | Default | Description |
|---|---|---|---|
--quiet | boolean | false | Suppress output. Only the exit code indicates pass or fail. |
policy check
Section titled “policy check”| Flag | Type | Default | Description |
|---|---|---|---|
--policy <file> | string | .firmis/policy.yaml | Path to the policy YAML file to enforce. If omitted, Firmis looks for .firmis/policy.yaml in the project root. |
--platform <name> | string | all platforms | Scope the underlying scan to a specific platform only. |
--format <type> | string | terminal | Output format. terminal for human-readable output. json for CI systems and artifact storage. |
--quiet | boolean | false | Suppress all terminal output. Only the exit code indicates pass or fail. |
--verbose | boolean | false | Show detailed scan and evaluation output. |
Policy File Format
Section titled “Policy File Format”name: "Production Agent Policy"version: "1.0"description: "Security baseline for all agent deployments"
rules: - id: no-critical-findings description: "No critical severity findings allowed" condition: severity: critical count: 0
- id: no-hardcoded-secrets description: "No hardcoded API keys or credentials" condition: category: secret-detection count: 0
- id: bounded-high-findings description: "No more than 3 unresolved high severity findings" condition: severity: high max_count: 3Exit Codes
Section titled “Exit Codes”| Code | Meaning |
|---|---|
0 | All policy rules passed. |
1 | One or more policy rules violated (policy check). |
1 | Policy file is invalid (policy validate). |
1 | No policy file found and none specified via --policy (policy check). |
1 | Scan or evaluation failed with an error. |
See Also
Section titled “See Also”- scan - the underlying scan that
policy checkruns - Custom Rules - write detection rules that your policies can reference
- CI Pipeline - full discover, BOM, scan, and policy check pipeline