Policy testing checklist

Use this checklist for every policy change.

Positive path

  • Build a minimal diagram that should trigger the rule.
  • Set exact scope/config values required by if.
  • Verify expected controls/spec/score outcomes are applied.

Negative path

  • Flip one condition so the rule should not trigger.
  • Verify expected outcome is not applied.

Regression checks

  • Verify unrelated entities are unchanged.
  • Verify equivalent entity types (for example api and webApplication) still behave as intended.
  • Verify no duplicate controls are introduced.

UI checks

  • Scope values display correctly.
  • Alert/not-assessed states resolve when expected.
  • Pipeline/state indicators reflect evaluated outcomes.