Docs
Security policies
Add organization-specific scan criteria without weakening Codenskills's built-in security gate.
Company Workspaces can enforce their own package conventions on top of Codenskills's built-in security scan. Owners and admins manage them from Settings → Security → Organization scan criteria. Every workspace member can read the active criteria before preparing or reviewing a skill.
Add a criterion
Select Add criteria when no custom policy exists, or Edit criteria to change the active policy. Write one clear requirement and choose its effect:
A criterion is a condition the package must satisfy. The effect does not invert
that condition; it only decides what happens when the condition is violated.
For example, to forbid the name PEPE, write The package must not mention PEPE.
Writing The package may say the brand is PEPE. allows that content and will
pass when it is present.
| Effect | When the criterion is violated |
|---|---|
| Watch | Adds a low-risk finding. The version can still enter review. |
| Blocking | Marks the scan high risk and prevents a review from being created. |
If the scanner cannot decide whether a criterion passes, the result becomes medium risk. The version can enter review, but approval requires a reviewer note explaining why it is acceptable.
Examples:
The package must never mention Project Raven.Every script must use the approved internal API hostname.SKILL.md must name the team responsible for this workflow.
A workspace can have up to 20 criteria, with 500 characters per criterion. Criteria cannot contain XML angle brackets or control characters.
What the scan does
The built-in scan and organization-policy evaluation run independently against the same package snapshot. Organization criteria can add risk but cannot hide, lower or override built-in findings. Deterministic credential checks also run outside the model response.
The security profile identifies each organization criterion, its effect, the result, explanation and relevant package paths. High or critical built-in risk and violated blocking criteria have no owner/admin override.
Revisions and pending reviews
Saving criteria creates a new immutable policy revision. It does not rewrite old scan history.
- A new submission must use the policy active when its trusted scan finishes.
- If the package or policy changes during scanning, submission stops and asks you to try again.
- A pending review keeps the exact scan and policy revision that created it.
- Cancelling and resubmitting uses the current active policy.
Criteria and the bounded skill-package profile are sent to the configured scanner provider. Do not put secrets or credentials in a policy rule.
While editing, changes remain a local draft until you select Save new revision. After saving, Settings returns to the read-only active-policy view; select Edit criteria to make another revision.
See Skill security for the complete package-to-release gate, Skills & versions for the version lifecycle and Workspace governance for reviewer roles.