Policies
Threatcl Cloud policies let you define automated checks against your threat models using Rego (Open Policy Agent’s policy language). Policies can enforce standards like requiring specific controls, minimum threat coverage, or naming conventions across your organization.
Listing Policies
The cloud policies command lists all policies in your organization.
$ threatcl cloud policiesPolicies options
-enabled-only— filter to enabled policies only-json— output as JSON
Viewing a Policy
The cloud policy command displays details for a single policy.
$ threatcl cloud policy -policy-id=<uuid>Policy options
-policy-id— required. The policy ID to display-show-rego— include the full Rego source in the output-json— output as JSON
Creating a Policy
The cloud policy create command creates a new policy from a local .rego file.
$ threatcl cloud policy create -name="Require Controls" -severity=error -rego-file=./require-controls.regoCreate options
-name— required. The policy name-severity— required. Policy severity:error,warning, orinfo-rego-file— required. Path to a local.regofile containing the policy source-description— optional description-category— optional category-tags— optional comma-separated tags-enabled— enable the policy on creation (default:true)-json— output as JSON
Updating a Policy
The cloud policy update command updates an existing policy. Only specified fields will be updated.
$ threatcl cloud policy update -policy-id=<uuid> -severity=warningUpdate options
-policy-id— required. The policy ID to update-name— new policy name-description— new description-severity— new severity:error,warning, orinfo-rego-file— path to an updated.regofile-category— new category-tags— comma-separated tags (replaces existing)-enabled— toggle enabled (trueorfalse)-enforced— toggle enforced (trueorfalse)-json— output as JSON
Deleting a Policy
The cloud policy delete command deletes a policy from Threatcl Cloud.
$ threatcl cloud policy delete -policy-id=<uuid>Delete options
-policy-id— required. The policy ID to delete-force— skip confirmation prompt
Validating a Rego File
The cloud policy validate command validates a local .rego file against the Threatcl Cloud API without creating a policy.
$ threatcl cloud policy validate my-policy.regoValidate options
-json— output as JSON
Evaluating Policies
The cloud policy evaluate command triggers policy evaluation against a threat model. This is designed for CI/CD integration — use -fail-on-error or -fail-on-warning to control exit codes based on evaluation results.
$ threatcl cloud policy evaluate -model-id=my-appEvaluate options
-model-id— required. The threat model ID to evaluate policies against-fail-on-error— exit with code 1 if any policy with severityerrorfails-fail-on-warning— exit with code 1 if any policy with severitywarningorerrorfails-json— output as JSON
CI/CD Usage
Use -fail-on-error or -fail-on-warning in your pipelines to gate deployments on policy compliance:
$ threatcl cloud policy evaluate -model-id=my-app -fail-on-error -jsonViewing Past Evaluations
Listing Evaluations
The cloud policy evaluations command lists past policy evaluations for a threat model.
$ threatcl cloud policy evaluations -model-id=my-appEvaluations options
-model-id— required. The threat model ID-json— output as JSON
Viewing a Single Evaluation
The cloud policy evaluation command displays details of a specific past evaluation.
$ threatcl cloud policy evaluation -model-id=my-app -eval-id=<evalId>Evaluation options
-model-id— required. The threat model ID-eval-id— required. The evaluation ID to view-json— output as JSON
Common Options
All policy commands support these options:
-org-id— organization ID. If not provided, uses theTHREATCL_CLOUD_ORGenvironment variable or the first organization from your user profile-config— path to an optional config file
See the Cloud Overview for details on environment variables like THREATCL_API_URL, THREATCL_CLOUD_ORG, and THREATCL_API_TOKEN.