Skip to Content
Governance & CompliancePolicy-as-Code

Policy-as-Code

Policies define the automated actions Slim.io takes when sensitive data is detected. Written in YAML, policies follow a declarative model: you specify conditions and actions, and the policy engine evaluates them against scan findings.

Policy YAML Schema

apiVersion: slim.io/v1
kind: Policy
metadata:
  name: tokenize-financial-pii
  description: "Automatically tokenize credit card and bank account numbers"
  tags:
    - pci-dss
    - financial
spec:
  mode: enforced  # or "dry-run"
  scope:
    connectors:
      - connector-id-aws-prod
      - connector-id-gcp-prod
    file_types:
      - csv
      - json
      - parquet
    prefixes:
      - "data/financial/"
      - "exports/"
  conditions:
    - category: Credit Card
      min_confidence: 0.75  # tune for your environment, see Settings > Detection
    - category: Bank Account
      min_confidence: 0.75  # tune for your environment, see Settings > Detection
  actions:
    - type: tokenize
      config:
        algorithm: aes-256
        key_scope: tenant
    - type: alert
      config:
        channels:
          - slack://security-alerts
          - email://compliance@company.com
        severity: high

Schema Reference

metadata

FieldRequiredDescription
nameYesUnique identifier (kebab-case)
descriptionYesHuman-readable description
tagsNoLabels for filtering and organization

spec.mode

ValueBehavior
dry-runEvaluate conditions and log matches, but do not execute actions
enforcedEvaluate conditions and execute actions on matching findings

Always start with dry-run mode when creating new policies. Review the matched findings in the Governance dashboard to confirm the policy behaves as expected before switching to enforced.

spec.scope

Scope controls which findings the policy applies to:

FieldDescription
connectorsList of connector IDs (empty = all connectors)
file_typesFile extensions to include (empty = all types)
prefixesObject key prefixes to include (empty = all paths)
workspacesWorkspace IDs to scope to (empty = current workspace)

spec.conditions

Conditions define which findings trigger the policy:

FieldDescription
categoryPII category to match (SSN, Email, Credit Card, etc.)
min_confidenceMinimum confidence score for the finding to qualify
max_confidenceMaximum confidence score (optional, for banding)
risk_score_minMinimum file-level risk score

Multiple conditions use OR logic — a finding matching any condition triggers the policy.

spec.actions

Available action types:

ActionDescription
alertSend notifications via Slack, email, or webhook
tokenizeReplace sensitive values with AES-256 encrypted tokens
maskRedact sensitive values in place (irreversible)
quarantineMove the file to an isolation bucket
tagApply metadata tags to the file or finding
webhookSend finding details to a custom HTTP endpoint

Deploying Policies

Via the Dashboard

  1. Navigate to Governance > Policies in the Customer Dashboard.
  2. Click Create Policy.
  3. Paste or write your YAML definition.
  4. Click Validate to check for errors.
  5. Click Deploy to activate the policy.

Via the API

POST /api/v1/governance/policies
Content-Type: application/yaml
Authorization: Bearer $TOKEN
 
# YAML body here

Via Git Sync

Store policy YAML files in a Git repository alongside your classifier definitions:

slim-io-config/
  policies/
    tokenize-financial-pii.yaml
    alert-health-data.yaml
    quarantine-public-buckets.yaml

Enable Git sync under Settings > Integrations to automatically deploy policy changes on merge.

Policy Evaluation Order

When multiple policies match the same finding:

  1. All matching policies execute (policies do not short-circuit)
  2. Actions from all matching policies are combined
  3. Conflicting actions use the most restrictive outcome (e.g., quarantine wins over alert-only)
  4. Execution order within a policy follows the order of actions in the YAML

Auditing

Every policy evaluation is logged with:

  • Timestamp
  • Policy name and version
  • Finding ID and details
  • Conditions matched
  • Actions executed (or skipped in dry-run)
  • Outcome status (success, partial failure, error)

These logs are available in the Governance dashboard and via the API at GET /api/v1/governance/audit-log.

Last updated on
OverviewData Sprawl Detection