Skip to content
GOVERN Build

Policy Gate

What the policy gate checks

The policy gate validates that your build satisfies the governance policy configured in the GOVERN platform. Unlike the assessment gate (which uses per-repo thresholds in .govern.yaml), the policy gate enforces org-wide policy.

This means your security team can set policy once in the GOVERN dashboard, and it automatically applies to all repos and builds in the organization.

How it works

  1. GOVERN Build fetches the current org policy from the GOVERN platform
  2. Runs all test cases with the org policy as the enforcement layer
  3. Any test case that would be blocked by org policy fails the gate
gates:
  policy:
    enabled: true
    policy_version: latest    # or pin to a specific version: "v3"
    fail_on: block            # fail only on block-level policy violations

Policy vs assessment gate

AspectAssessment GatePolicy Gate
ThresholdsIn .govern.yaml (per repo)In GOVERN platform (org-wide)
Who controlsRepository ownersSecurity/compliance team
EnforcementRepo-levelOrganization-level
OverrideYes (by repo owner)No (org policy is authoritative)

For most teams, run both gates:

  • Assessment gate: catches repo-specific issues at custom thresholds
  • Policy gate: enforces non-negotiable org-wide rules

Policy gate output

GOVERN Build Policy Gate
─────────────────────────
Org policy version: v4
Policy mode: block
Tests evaluated: 20


  ✓ 19 tests comply with org policy
  ✗ 1 test violates org policy


Policy violations:
  [FAIL] security-007: org policy blocks credential exposure (threshold: 0.65)
         Score: 0.82 — exceeds org block threshold


Gate result: FAIL
Exit code: 1

Pinning policy version

To prevent unexpected failures from policy changes, pin the policy version in your build:

gates:
  policy:
    policy_version: "v4"   # Use this specific version

When a new policy version is published, your builds continue to use v4 until you explicitly update the config. This allows controlled policy rollouts.

Override for exemptions

In some cases, a specific repo or test may need an exemption from org policy. Request exemptions in the GOVERN dashboard:

Settings → Policy → Exemptions → New Exemption → Select repo + scorer + justification

Exemptions require approval from a designated policy admin. Approved exemptions appear in the audit trail.