Policy & Merge Checks
How Secbez uses policies to control whether pull requests can be merged based on severity thresholds.
Secbez evaluates findings against your security policy to decide whether a pull request should pass, warn, or fail.
How policy evaluation works
After scanning a pull request, Secbez checks the findings against your configured thresholds:
- If any finding exceeds a fail threshold -- Check Run status is set to Failure
- If any finding exceeds a warn threshold -- Check Run status is set to Warning (neutral)
- If no thresholds are exceeded -- Check Run status is set to Success
Default policy thresholds
| Condition | Action |
|---|---|
| Any critical severity finding | Fail |
| Any high severity + high confidence finding | Fail |
| Any high severity finding (any confidence) | Warn |
| Any medium severity finding | Warn |
| All other findings | Pass |
Enforcing checks
To prevent merging PRs that fail the security check:
- Go to your GitHub repository settings
- Navigate to Branches > Branch protection rules
- Enable Require status checks to pass before merging
- Select the Secbez Security Scan check
Once enabled, PRs with critical or high-confidence high-severity findings cannot be merged until the issues are resolved.
Customizing policy
Policy thresholds can be adjusted to match your team's risk tolerance. Stricter policies catch more issues before merge; more relaxed policies reduce friction during development.