Creating Policies
Policies are created through the Bulwark dashboard. This guide walks you through the process.
Accessing the Policy Editor
- Log in to your Bulwark dashboard
- Navigate to Policies in the sidebar
- Click Create Policy
Policy Fields
Name
Give your policy a descriptive name that explains what it does:
- ✅ "Block destructive file operations"
- ✅ "Require approval for production deploys"
- ❌ "Policy 1"
Description (Optional)
Add context about why this policy exists and when it should trigger.
Status
| Status | Behavior |
|---|---|
| Active | Policy is enforced on all matching tool calls |
| Inactive | Policy exists but is not enforced |
| Draft | Policy is being edited, not enforced |
Priority
A number that determines evaluation order. Higher numbers are checked first.
- Use 100+ for critical security policies
- Use 50-99 for important operational policies
- Use 1-49 for convenience policies
Action
What happens when the policy matches:
| Action | Result |
|---|---|
| Allow | Auto-approve immediately |
| Deny | Block with optional message |
| Ask | Send to approval queue |
Building Rules
Rules define when a policy matches. Each rule has three parts:
1. Field
What to check. Common fields:
tool_name - The tool being called
tool_input.command - Bash command text
tool_input.file_path - File being accessed
cwd - Current working directory
2. Operator
How to compare:
equals - Exact match
contains - Substring match
starts_with - Prefix match
ends_with - Suffix match
matches - Regex match
in - Value in list
3. Value
What to compare against.
Combining Rules
AND Logic
All rules must match. Use for specific conditions:
tool_name equals "Bash"
AND
tool_input.command contains "rm"
AND
tool_input.command contains "-rf"
OR Logic
Any rule can match. Use for multiple triggers:
tool_input.file_path ends_with ".env"
OR
tool_input.file_path ends_with ".secret"
OR
tool_input.file_path contains "password"
Example: Protect Config Files
Let's create a policy that requires approval before modifying configuration files.
Settings:
- Name:
Protect configuration files - Priority:
75 - Action:
Ask - Status:
Active
Rules:
tool_name in ["Edit", "Write"]
AND
(
tool_input.file_path ends_with ".config.js"
OR
tool_input.file_path ends_with ".config.ts"
OR
tool_input.file_path contains "/config/"
)
Testing Your Policy
After creating a policy:
- Keep the dashboard open
- Start a Claude Code session
- Trigger a tool call that should match
- Verify the policy action occurs
Tip
Start with Ask action while testing. Once you're confident the rules work correctly, change to Allow or Deny as needed.
Next Steps
- Rule Conditions - All available fields and operators
- Actions - When to use each action type