Bulwark|Docs

Creating Your First Policy

This guide provides a detailed walkthrough of creating an effective policy in Bulwark.

Understanding Policies

A policy is a rule that tells Bulwark what to do when an agent tries to use a specific tool. Every policy has:

  • Name: A descriptive identifier
  • Description: What this policy does
  • Rules: Conditions that must match
  • Action: What happens when rules match (Allow, Deny, or Ask)
  • Priority: Order of evaluation (higher = checked first)
  • Status: Active, Inactive, or Draft

Example: Protect Production Files

Let's create a policy that prevents accidental modifications to production configuration files.

Step 1: Define the Goal

We want to:

  • Require approval before editing any file with "prod" in the path
  • This applies to any tool that modifies files (Edit, Write, Bash)

Step 2: Create the Policy

  1. Go to Settings → Policies
  2. Click Add Policy
  3. Fill in the basics:
FieldValue
NameProtect production files
DescriptionRequire approval before modifying files with "prod" in the path
ActionAsk

Step 3: Add Rules

We'll use an OR combinator with multiple rules to catch different tools:

Rule 1: Edit tool with prod path

  • Field: tool_name
  • Operator: equals
  • Value: Edit

AND

  • Field: tool_input.file_path
  • Operator: contains
  • Value: prod

Rule 2: Write tool with prod path

  • Field: tool_name
  • Operator: equals
  • Value: Write

AND

  • Field: tool_input.file_path
  • Operator: contains
  • Value: prod

Rule 3: Bash with prod path

  • Field: tool_name
  • Operator: equals
  • Value: Bash

AND

  • Field: tool_input.command
  • Operator: matches (regex)
  • Value: prod.*\.(yaml|yml|json|env)

Step 4: Set Priority

If you have other policies, set the priority higher (e.g., 100) so this policy is checked before more general ones.

Step 5: Activate

Set the status to Active and save.

Testing Your Policy

Ask Claude to make a change to a production file:

claude "update the API key in config/prod.yaml"

You should see the request appear in your dashboard, waiting for approval.

Policy Best Practices

Tip

Start broad, then narrow down. It's easier to make policies more specific than to remember all edge cases upfront.

  • Use descriptive names: "Protect production files" is better than "Policy 1"
  • Add helpful descriptions: Future you will thank present you
  • Test in Draft mode: Create policies as Draft first to see what they'd match without blocking anything
  • Review the audit trail: Check your dashboard to see what's being caught and adjust accordingly

Next Steps

Learn more about: