In Clayton, rules are specific conditions designed to identify potential issues within your code or Salesforce org. For instance, the "Insecure Storage of Sensitive Information" rule flags an alert whenever sensitive data like tokens, secrets, or passwords are found to be stored directly in your database.
A policy is a collection of these rules. Take the "Secure" policy as an example; it bundles rules that help protect your organization and customer data. Its goal is to ensure only approved users can gain access, restrict user permissions to only what's essential, and safeguard data within your system from being compromised.
When you connect a new repository or Salesforce org to Clayton, we'll automatically apply a default set of policies based on industry best practices. While these are an excellent starting point, you can easily customize them to fit your team's specific needs.
Below is a short guide on how to adjust your rules and policies to best meet your needs.
Managing Policies Applied to a Project
Every project in Clayton can have its own unique set of policies. To see which ones are active for a particular project, simply:
Select the project.
Go to Settings.
Choose Policies.
From here, you can effortlessly toggle policies on or off as required.
Turning Rules On or Off
You might encounter situations where a rule repeatedly flags "false positives," creating unnecessary noise in your workflow. Conversely, you might want to enable rules you previously ignored or turned off.
If you decide a particular rule is or isn't relevant for your project, users with the right permissions can disable or enable it by following these steps:
In the Admin tool, navigate to the Policies tab.
Under the Actions column, click Edit next to the policy you wish to modify.
Select the policy containing the rule you want to manage.
You can then toggle the rule on or off or adjust its severity level to better suit your team's needs.
Important: Disabling a rule applies globally. This means it will no longer be enforced in either Salesforce org scans or repository checks across all projects.
Adding New Policies
You can also create new policies completely tailored to your organization's specific needs. Here's how:
Go to the Policies tab in the Admin Tools section.
Click the + Add New Policy button.
You can browse existing rules by Location (object type), Use Case, and how they're identified in the Salesforce Well-Architected Guide.
Once you add a rule to your new policy, you can set its severity level. Next, decide how this policy applies to repositories and Salesforce orgs: you can make it mandatory for all projects or leave it optional so project leads can decide when to use it. Finally, give your new policy a name and description. You can then apply this policy to any existing projects or include it when setting up new ones.