Policy testing checklist
Use this checklist for every policy change.
Positive path
- Build a minimal diagram that should trigger the rule.
- Set exact scope/config values required by
if. - Verify expected controls/spec/score outcomes are applied.
Negative path
- Flip one condition so the rule should not trigger.
- Verify expected outcome is not applied.
Regression checks
- Verify unrelated entities are unchanged.
- Verify equivalent entity types (for example
apiandwebApplication) still behave as intended. - Verify no duplicate controls are introduced.
UI checks
- Scope values display correctly.
- Alert/not-assessed states resolve when expected.
- Pipeline/state indicators reflect evaluated outcomes.