--- title: "Issue Policies" slug: "issue-policies" description: "Learn how to create and manage compliance policies in Traceable to identify API, AI security violations, and monitor PCI DSS compliance. Use predefined or custom policies to enhance API protection and ensure compliance with security standards." updated: 2026-03-17T09:39:28Z published: 2026-03-17T09:39:28Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Issue Policies ##### Updates (January 2026 to March 2026) - *March 2026* — Updated the page to reflect the new MCP policies in the Traceable platform. For more information, see [Policy Categorization](/docs/issue-policies#policy-categorization). **Issue Policies** help you identify API endpoints that violate security policies. Traceable provides predefined policies for vulnerability, compliance, PCI DSS, AI APIs, and MCP tools that you can customize to make them relevant to your organization. You can also define custom policies to identify these violations based on various attributes, such as the environment where the API runs, its vulnerability type, data sensitivity, and so on. You can also enable or disable these policies according to your requirements. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_discovery_issue_policies_dashboard.png) Issue Policies ## Policy Categorization The issue policies are separated into the following categories: | Category | Description | | --- | --- | | **Traceable Vulnerabilities** | This category lists the OWASP API Top 10 and Traceable recommended policies for identifying vulnerabilities in *Live Traffic* across API endpoints. | | **Traceable Compliance** | This category lists Traceable's out-of-the-box compliance policies. These policies help identify some of the most common violations across API endpoints. | | **PCI DSS** | This category lists Traceable's policies for monitoring PCI DSS data across API endpoints. | | **AI APIs** | This category lists Traceable’s policies for monitoring AI endpoints in your application. | | **MCP** | This category lists Traceable’s policies for monitoring MCP assets in your application ecosystem. | | **Custom** | This category lists the policies you create using various attributes according to your requirements. | For more information on the above policies, see [Policy View](/v1/docs/compliance-policies#policy-view) and [Policy Configuration](/v1/docs/compliance-policies#policy-configuration). ## Navigating the page You can access the **Issue Policies** page through **Discovery** → **Settings**→**Issue Policies**. ## Listing Identified Issues While the **Issue Policies** page lists the policies, the identified violations are listed in **Discovery** → **Issues**. On the **Issues** page, you can view details about the violations and the API endpoints where they were identified. For more information on navigating these violations, see [Issues](/docs/vulnerabilities). Traceable also auto-resolves an issue by default, depending on the issue’s source. For more information, see [Issues Resolution](https://docs.traceable.ai/docs/issues#issue-resolution). > [!NOTE] > **Note** > > The compliance policies only help in identifying violations across discovered API endpoints. Based on the details about these violations, you can also choose to create custom policies under API Protection. These policies help protect your APIs according to the settings you configure. For more information on how to create these policies, see [Custom Policy](/docs/custom-policy). --- ## Policy View Traceable shows the following information for each category mentioned above: ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_discovery_issue_policies_edit.png) Policy View | Column | Description | | --- | --- | | **Control Name** | The policy name, for example, *API Param Contains URL*. Traceable uses this policy name as the **Issue Name** on the **Issues** page. | | **Severity** | The severity of the issue detected as part of this policy. For example, the issue having the name *API Param Contains URL* will have *Medium* severity. | | **Environments** | The environment(s) in which the policy is applicable. By default, a policy applies to *All Environments*; however, you can edit this according to your requirements. For more information, see the [Policy Configuration](/v1/docs/compliance-policies#policy-configuration) section below. | | **Status** | The policy's status: **enabled** or **disabled**. While the policies are enabled (Traceable recommended) by default, you can click the toggle for a row to disable them according to your requirements. | | **Actions** | The functions you can perform on the policies. You can ***Edit*** the policy configuration and *Clone* the policy (for Custom policies only) according to your requirements. For more information, see the [Policy Configuration](/v1/docs/compliance-policies#policy-configuration) section below. | --- ## Policy Configuration This section discusses both out-of-the-box and custom policies, along with the steps to configure and edit them. For more information, refer to the tabs below to determine your requirements. Out-of-the-box PoliciesCustom Policies Traceable, by default, provides you with some policies on the **Issue Policies** page. These policies are listed under the **Traceable Vulnerabilities, Traceable Compliance**, **PCI DSS**, and **AI APIs** tabs. Traceable recommends enabling these policies to help identify the most common PCI DSS violations and data across API endpoints. Traceable also allows you to perform the following actions on a policy. To perform these actions, click the **Ellipse** (![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ellipse_icon.png)) icon corresponding to a policy. - **View** a policy and its configuration. - **Edit** a policy configuration. For the steps to perform this, see the section below. ### Edit Policy To edit a policy configuration, click the **Ellipse** (![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_catalog_posture_events_ellipse_icon.png)) icon → **Edit** corresponding to a policy, and complete the following steps: #### Step 1 — Scope 1. Select the **Environment(s)** where you wish to apply the policy. 2. Define the policy scope by configuring the condition groups. You can add one or more condition groups according to your requirements: 1. Select how Traceable should match the condition groups: - **Match All** — Traceable performs an AND operation between the condition groups, if selected. - **Match Any** — Traceable performs an OR operation between the condition groups, if selected. 2. Click **+ Condition Group** and complete the following steps: 1. Select how Traceable should match the conditions: *Match All* or *Match Any*. 2. Click **+ Add Condition**. 3. Select the **Attribute** for which you wish to apply the condition. 4. Select the **Operator** corresponding to the attribute. 5. Select the **Value(s)** corresponding to the attribute and operator. 6. (Optional) Click **+** corresponding to a condition to add more according to your requirements. 3. (Optional) Repeat the above step to add more condition groups. 3. Click **Next**. #### Step 2 — Parameters Select the **Attribute**, and its corresponding **Operator**, and specify the **Value** based on which Traceable should detect issues for the policy. Further, click **Next**. #### Step 3 — Severity Conditions Select the **Severity** that Traceable should assign to the issues detected using the policy, and click **Save**. You can create custom policies by selecting the attributes according your requirements. Traceable uses these policies, identifies their corresponding violations, and lists them on the **Issues** page for you to take action. > [!NOTE] > Note > > - Each custom policy should have a unique name. > - Custom policies may take up to 24 hours to generate [Issues](/docs/issues) post-creation. ### Creating a Custom Policy To create a custom policy, in the page’s top right corner, click **+ Custom Policy**, and complete the following steps: #### Step 1 — Scope 1. Specify the policy**Name**. For example, the *API endpoint contains critical data*. Traceable uses this policy name as the **Issue Name** on the **Issues** page. > [!NOTE] > Note > > You cannot edit the name post-policy creation. 2. Specify a **Description** for the policy. 3. From the **Category** drop-down list, select the category to which the detected violation should belong or specify a category name and click on **Create new Category “”**, for example, *Production*. 4. From the **Environment** drop-down list, select the environment(s) in which the policy should apply. By default, Traceable selects *All Environments*. 5. Define the policy **Scope** by configuring the condition groups. You can add one or more condition groups according to your requirements: 1. Select how Traceable should match the condition groups: - **Match All** — Traceable performs an AND operation between the condition groups if selected. - **Match Any** — Traceable performs an OR operation between the condition groups if selected. 2. Click **+ Condition Group** and complete the following steps: 1. Select how Traceable should match the conditions: *Match All* or *Match Any*. 2. Click **+ Add Condition**. 3. Select the **Attribute** for which you wish to apply the condition. 4. Select the **Operator** corresponding to the attribute. 5. Select the **Value(s)** corresponding to the attribute and operator. 6. (Optional) Click **+** corresponding to a condition to add more according to your requirements. 3. (Optional) Repeat the above step to add more condition groups. 6. Click **Next**. #### Step 2 — Detection Conditions 1. In the **API Attribute** section, click **+ Add condition**, then select the attribute based on your requirements. For example, *Endpoint Name* is equal to (*=*) *GET /userinfo/json.* 2. In the **Vulnerability Attribute** section, click **+ Add condition** and select the attribute according to your requirements. For example, Vulnerability *Status* is (*IN*) either *Open* or *Under review*. 3. In the **Datatypes** section, click **+ Add condition** and select the attributes according to your requirements. For example, *Request & Response* of the API endpoint contains either (*Contains any of*) the *Credit Card PIN*, *username*, and *password* data types. 4. In the **Datasets** section, click **+ Add condition** and select the attributes according to your requirements. For example, the *Response* of the API endpoint does not contain either (*Contains any of*) the *Generic Personal Info* or *PII UK* data sets. 5. In the **Data Sensitivity** section, click **+ Add condition** and select the attributes according to your requirements. For example, the*Request*data for an API endpoint is highly sensitive (*High*). 6. Click **Next**. > [!NOTE] > Note > > Traceable carries out an AND operation between the conditions defined above. #### Step 3 — Severity Conditions Select the **Severity** that Traceable should assign to the issues detected using the policy, and click **Submit**. --- ### Custom Policy Actions You can perform the following actions on the policies by clicking on the **Ellipse** (![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_ellipse_icon.png)) icon corresponding to a row: - **Edit** a policy to add or remove any attributes according to your requirements. - **Clone** and edit a policy to add or remove any attributes according to your requirements. While cloning a policy, you can also select if you wish to edit the cloned policy directly. Upon selection, Traceable automatically opens the policy configuration for modifications. - **Delete** a policy. > [!NOTE] > Note > > A deleted policy cannot be restored. ## Related - [Issues Overview](/issues.md) - [All Assets](/all-assets.md) - [AI Asset Details](/asset-details.md)