Overview

Translating governance policies into enforceable technical controls is error-prone. Zenable provides automatic conversion of policies to executable rules with version control and testing, ensuring 100% policy enforcement with full traceability.

How Zenable Works

Upload your policy documents once, and Zenable automatically:
  1. Extracts technical requirements from natural language
  2. Converts them into enforceable rules
  3. Applies them across every line of code

Creating Policies as Code

1

Create Your Policy

Go to zenable.app/explore to:
  • Upload a policy document, or
  • Create a control directly
2

View as Code

Visit zenable.app/specs to see your policies translated into executable code
3

Automatic Enforcement

Your policies are now automatically enforced across all development - no additional configuration needed

Real-World Policy Example

Imagine uploading a policy document that states:
“All payment processing code must use encrypted channels, implement idempotency keys, log all transactions with correlation IDs, and retry failed transactions with exponential backoff.”

What Zenable Prevents

With this policy uploaded, Zenable automatically enforces:

Missing Encryption

# ❌ Would be flagged
def process_payment(amount, card):
    response = requests.post(
        "http://payment-api.com/charge",  # Unencrypted!
        json={"amount": amount, "card": card}
    )

# ✅ Zenable ensures
def process_payment(amount, card):
    response = requests.post(
        "https://payment-api.com/charge",  # Encrypted
        json={"amount": amount, "card": card}
    )

Missing Idempotency

# ❌ Would be flagged
def charge_customer(customer_id, amount):
    return payment_gateway.charge(customer_id, amount)

# ✅ Zenable ensures
def charge_customer(customer_id, amount, idempotency_key=None):
    if not idempotency_key:
        idempotency_key = generate_idempotency_key()
    return payment_gateway.charge(
        customer_id, amount,
        idempotency_key=idempotency_key
    )

Policy Definition

Creating Custom Policies

Simply upload your policy documents to Zenable, and we automatically convert them into enforceable rules applied through CLI and IDE integrations.

Example: Security Policy

# security-policy.yaml (conceptual - configured in Zenable platform)
rules:
  - id: hardcoded-api-key
    patterns:
      - pattern-either:
          - pattern: $KEY = "..."
          - pattern: $KEY = '...'
      - metavariable-regex:
          metavariable: $KEY
          regex: (?i).*(api_key|apikey|api-key|secret_key|secret-key)
    message: |
      Hardcoded API key detected. This is a security risk.
      Store API keys in environment variables or secure key management systems.
    languages: [python, javascript, java]
    severity: ERROR
    metadata:
      category: security
      cwe: CWE-798
      owasp: A3

  - id: sql-injection-string-concat
    patterns:
      - pattern-either:
          - pattern: |
              $QUERY = "..." + $INPUT + "..."
              ...
              $CURSOR.execute($QUERY, ...)
          - pattern: |
              $QUERY = f"... {$INPUT} ..."
              ...
              $CURSOR.execute($QUERY, ...)
          - pattern: |
              $QUERY = "...".format($INPUT)
              ...
              $CURSOR.execute($QUERY, ...)
    message: |
      SQL query constructed using string concatenation with user input.
      This can lead to SQL injection vulnerabilities.
      Use parameterized queries instead.
    languages: [python]
    severity: ERROR
    metadata:
      category: security
      cwe: CWE-89
      owasp: A1

  - id: missing-authentication-decorator
    patterns:
      - pattern: |
          @app.route(...)
          def $FUNC(...):
            ...
      - pattern-not: |
          @app.route(...)
          @require_auth
          def $FUNC(...):
            ...
      - metavariable-regex:
          metavariable: $FUNC
          regex: .*(admin|user|account|profile|settings).*
    message: |
      Sensitive endpoint detected without authentication decorator.
      Add @require_auth to protect this endpoint.
    languages: [python]
    severity: WARNING
    metadata:
      category: security
      cwe: CWE-306

Example: Code Quality Policy

# quality-policy.yaml (conceptual - configured in Zenable platform)
rules:
  - id: no-empty-exception-handlers
    patterns:
      - pattern: |
          try:
            ...
          except $EXCEPTION:
            pass
    message: |
      Empty exception handler detected. This can hide errors and make debugging difficult.
      At minimum, log the exception or add a comment explaining why it's being ignored.
    languages: [python]
    severity: WARNING
    metadata:
      category: best-practice

  - id: no-console-log-production
    patterns:
      - pattern-either:
          - pattern: console.log(...)
          - pattern: console.debug(...)
          - pattern: console.info(...)
    message: |
      Console logging detected. Remove or replace with proper logging before production.
    languages: [javascript, typescript]
    severity: INFO
    metadata:
      category: best-practice

  - id: missing-error-handling
    patterns:
      - pattern: |
          $PROMISE = $ASYNC_FUNC(...)
      - pattern-not: |
          $PROMISE = $ASYNC_FUNC(...).catch(...)
      - pattern-not: |
          try {
            ...
            $PROMISE = await $ASYNC_FUNC(...)
            ...
          } catch (...) {
            ...
          }
    message: |
      Async operation without error handling. Add .catch() or try/catch block.
    languages: [javascript, typescript]
    severity: WARNING
    metadata:
      category: error-handling

Policy Enforcement Strategies

Development-Time Enforcement

1

IDE Integration

With Zenable MCP installed, policies are enforced as developers write code:
uvx zenable-mcp install
The AI assistant will automatically:
  • Check code against policies
  • Suggest corrections
  • Apply fixes
2

Pre-commit Hooks

Enforce policies before code is committed:
# .pre-commit-config.yaml
---
repos:
 - repo: https://github.com/Zenable-io/ai-native-python
   rev: v0.2.0 # Use `pre-commit autoupdate --freeze` to safely maintain this
   hooks:
     - id: zenable-check
3

GitHub Integration

Install the GitHub App for automatic PR reviews. Once installed, every pull request is automatically reviewed against your policies.

Next Steps