Skip to content
Last updated July 2, 2026

Policy Violations

Policy Violations is the “what’s failing right now” companion to the Policy Engine. Instead of showing violations grouped by policy, it flattens them across your whole fleet so you can triage the worst ones first.

You reach it from Security → Policies → Violations.

A paginated table of every violation, one row per (policy, server) pair:

  • Policy name and its severity badge.
  • The affected server, with a link to the server page.
  • First seen — when the server first drifted for this policy.
  • Last seen — the most recent evaluation that confirmed the violation is still active.
  • Acknowledger — who acknowledged it, if anyone, and when.
  • Status — Open or Resolved.

A filter across the top lets you show only Open or only Resolved violations. The default is everything.

  • Open any row to jump to the corresponding policy, where you see the exact rule and parameters that failed.
  • Jump to server — the server column links straight to the affected host so you can start fixing.
  • Acknowledge a violation from the policy detail page. Acknowledgement records who and when, plus an optional note, without resolving the violation itself.
  • Filter by status.
  • The Policy Engine evaluates each active policy against the servers that match its target filter (tags / hostname pattern / all).
  • A server that fails opens a violation with first_seen_at = now, last_seen_at = now.
  • Every subsequent evaluation that still fails just bumps last_seen_at.
  • The first evaluation that passes writes resolved_at, which flips the row into the Resolved bucket.

Because resolution is automatic, this feed is always a live view — you don’t need to close violations by hand.

There is intentionally no “dismiss” button. If a violation shouldn’t be enforced on this host, the right fix is one of:

  • Change the policy’s target filter so this server is out of scope.
  • Change the rule parameters so the current state is acceptable.
  • Fix the server so the rule passes.
  • Pause the policy if it’s no longer relevant at all.

Acknowledging is for signalling “known, someone’s on it” — it does not silence future evaluations.

  • Policy Engine — where you define what “in compliance” means.
  • Compliance Hub — the roll-up that includes policy adherence alongside vulnerabilities and audit findings.
  • Audit Log — every acknowledge / resolve action is written here.
Was this page helpful?