Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / SCA Policy Violation

Documentation

SCA Policy Violation

arxsec-site / library/workflows/sca-policy-violation/README.md

arxsec-site repo-root library/workflows/sca-policy-violation/README.md

Monitors Endor Labs CI/CD policy rules for violations, creates Jira blocker tickets to prevent deployment of non-compliant code, and sends engineering alerts to Slack.

Maturity: L3-4 (Enforced to Governed)  ·  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

~1 hour per violation of manual triage and ticket creation.

Connectors

| Connector | Operations | Risk Level | |-----------|-----------|------------| | Endor Labs | cicd_rules:read, findings:read | Low — read-only | | Jira | issues:create | Medium — creates blocker tickets | | Slack | chat:write | Low — notification only |

How It Works

  1. Query Endor Labs for CI/CD policy rule violations.
  2. Enrich each violation with finding details (CVE, severity, fix version).
  3. Create a Jira blocker ticket assigned to the repository owner.
  4. Post a Slack alert to the relevant engineering channel.

ARX Governance

Risk Classification

  • findings:readLow. Read-only query against Endor Labs.
  • issues:createMedium. Creates blocking Jira tickets that can hold up deployments.
  • chat:writeLow. Posts informational Slack messages.

HITL Gate Configuration

  • No HITL gate required. Ticket creation is non-destructive and reversible.

Policy Rules

  • findings:readpermit — automated, no approval needed.
  • issues:createpermit — creates tickets for human review downstream.
  • chat:writepermit — notification only.

Audit Trail

  • Violation ID, CVE, severity, and affected repository.
  • Jira ticket key and assignee for every created issue.
  • Slack message timestamp and channel.
  • Full event log written to arx.audit_log.

> See arx.yaml for the full governance configuration.

Setup Instructions

  1. Configure Endor Labs, Jira, and Slack connectors in arx.yaml.
  2. Set environment variables:
  • ENDOR_NAMESPACE, ENDOR_API_KEY
  • JIRA_URL, JIRA_API_TOKEN, JIRA_PROJECT_KEY
  • SLACK_BOT_TOKEN, SLACK_ENGINEERING_CHANNEL
  1. Map repository owners in arx.yaml under repo_owner_map for Jira assignment.
  2. Deploy with arx deploy sca-policy-violation.

Schedule

Runs every 30 minutes during business hours (08:00-20:00 UTC weekdays).