> ## Documentation Index
> Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# List policy rules



## OpenAPI

````yaml /public_v1.openapi.yaml get /api/v1/deployments/{deploymentId}/policies/{policyId}
openapi: 3.0.3
info:
  description: >

    Welcome to Semgrep's portal for the Semgrep AppSec Platform web API.


    # Introduction

    Semgrep is a fast, open-source, static analysis tool for finding bugs and
    enforcing code standards at editor,

    commit, and CI time. [Get
    started.](https://semgrep.dev/docs/getting-started/)


    This API is documented in the **OpenAPI format**.


    # Authentication

    The API supports authentication with an API token with the "Web API"
    permission, without limited

    scopes of access.


    You can provision an API token [from the Settings
    page](https://semgrep.dev/orgs/-/settings/tokens).


    # Terms of Use


    Please note, the materials made available herein are subject to the

    [Semgrep Terms of Use](https://semgrep.dev/resources/website-terms/), and
    your

    access or use of any of the same is your acknowledgment and acceptance of
    the

    such terms.


    <br>


    ___
  title: Semgrep Web App
  version: 1.0.0
servers: []
security: []
tags:
  - description: >-
      Deployments encapsulate your organization's security organization, with
      multiple projects, policies, and integrations. As the root object of the
      organization, they're similarly the root object of the API.
    name: DeploymentsService
    x-displayName: Deployment
    x-group: Deployment
  - description: >-
      Manage and retrieve code, supply chain, and AI-powered scan findings from
      Semgrep scans
    name: FindingsService
    x-displayName: Code, Supply Chain, and AI-Powered Scan
    x-group: Code, Supply Chain, and AI-Powered Scan
  - description: Utility endpoints.
    name: MiscService
    x-displayName: Other
    x-group: Other
  - description: >-
      View and manage the Policies of your organization.


      Deployments on the Unified Policies model use the [Policies V2
      API](/api/v2/docs/#tag/PoliciesV2Service) instead; this service stops
      working after the migration.
    name: PoliciesService
    x-displayName: Policies
    x-group: Policies
  - name: ProjectsService
    x-displayName: Projects
    x-group: Projects
  - description: View details of scans associated with projects in your organization.
    name: ScansService
    x-displayName: Scans
    x-group: Scans
  - description: View and manage the Secrets of your organization.
    name: SecretsService
    x-displayName: Secrets
    x-group: Secrets
  - description: |-
      Manage the Supply Chain findings and dependencies of your organization.

      A request body is required, but may be an empty object.
    name: SupplyChainService
    x-displayName: Supply Chain
    x-group: Supply Chain
  - description: Create and manage external tickets
    name: TicketingService
    x-displayName: Ticketing
    x-group: Ticketing
  - description: View and manage the triage of your organization.
    name: TriageService
    x-displayName: Triage
    x-group: Triage
paths:
  /api/v1/deployments/{deploymentId}/policies/{policyId}:
    get:
      tags:
        - PoliciesService
      summary: List policy rules
      operationId: PoliciesService_ListPolicyRules
      parameters:
        - in: path
          name: deploymentId
          required: true
          schema:
            description: >-
              Deployment ID (numeric). Example: `123`. Can be found at
              `/deployments`, or in your Settings in the web UI.
            example: 123
            format: int64
            type: string
        - in: path
          name: policyId
          required: true
          schema:
            description: >-
              Policy ID (numeric). Example: `456`. Can be found at
              `/deployments/{deploymentId}/policies`.
            example: 456
            format: int64
            type: string
        - in: query
          name: cursor
          schema:
            description: >-
              Cursor to paginate through the rules. Provide a cursor value from
              the response to retrieve the next page.
            type: string
        - in: query
          name: limit
          schema:
            description: >-
              Page size to paginate through the rules. The default page size is
              `500` and the maximum allowed page size is `2000`.
            format: int64
            type: integer
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/protos.openapi.v1.ListPolicyRulesResponse'
          description: OK
      security:
        - SemgrepWebToken: []
components:
  schemas:
    protos.openapi.v1.ListPolicyRulesResponse:
      properties:
        cursor:
          description: Cursor to paginate through the rules.
          example: Pm0ROjIwMjQtMDItMDYgMjA6MDQ6NDguMEDzNzk2fmk6NYTM2zUxOTI
          type: string
        policy:
          $ref: '#/components/schemas/protos.common.v1.Policy'
        rules:
          description: List of Rules for the given Policy.
          example:
            - category: security
              confidence: CONFIDENCE_HIGH
              cweCategories:
                - 'CWE-918: Server-Side Request Forgery (SSRF)'
              id: '1'
              languages:
                - python
              lastChangeAt: '2024-07-29T22:33:37.380293Z'
              owaspCategories:
                - 'A07: Cross-Site Scripting (XSS)'
              path: python.rule.1
              policyMode: MODE_MONITOR
              registryMaintainer: semgrep
              rulesets: []
              severity: SEVERITY_HIGH
              source: SOURCE_COMMUNITY
              technologies:
                - django
                - flask
              url: https://semgrep.com/r/123/python.rule.1
              vulnerabilityClass:
                - Improper Authentication
            - category: security
              confidence: CONFIDENCE_HIGH
              cweCategories:
                - 'CWE-918: Server-Side Request Forgery (SSRF)'
              id: '2'
              languages:
                - python
              lastChangeAt: '2024-07-29T22:33:37.380293Z'
              owaspCategories:
                - A01:2021 - Broken Access Control
                - 'A07: Cross-Site Scripting (XSS)'
              path: python.rule.shared
              policyMode: MODE_COMMENT
              registryMaintainer: semgrep
              rulesets:
                - comment
                - default
              severity: SEVERITY_MEDIUM
              source: SOURCE_PRO
              technologies:
                - django
                - flask
              url: https://semgrep.com/r/123/python.rule.shared
              vulnerabilityClass:
                - Improper Authentication
            - category: best-practice
              confidence: CONFIDENCE_HIGH
              cweCategories: []
              id: '3'
              languages:
                - python
              lastChangeAt: '2024-07-29T22:33:37.380293Z'
              lastChangeBy: example-user
              owaspCategories: []
              path: python.rule.custom_rule
              policyMode: MODE_BLOCK
              registryMaintainer: semgrep
              rulesets: []
              severity: SEVERITY_MEDIUM
              source: SOURCE_CUSTOM
              technologies:
                - django
                - flask
              url: https://semgrep.com/r/123/python.rule.custom_rule
              vulnerabilityClass:
                - Improper Authentication
          items:
            $ref: '#/components/schemas/protos.common.v1.Rule'
          type: array
      type: object
    protos.common.v1.Policy:
      properties:
        id:
          description: ID of the Policy.
          example: '1'
          format: int64
          type: string
        isDefault:
          description: When True, the Policy applies to all repositories.
          example: true
          type: boolean
        name:
          description: Name of the Policy.
          example: Global Policy
          type: string
        productType:
          description: |+
            Product type the Policy applies to.

            | value | description |
            |-------|---------------|
            | PRODUCT_TYPE_SAST | The product type for Code rules. |
            | PRODUCT_TYPE_SECRETS | The product type for Secrets rules. |

          enum:
            - PRODUCT_TYPE_SAST
            - PRODUCT_TYPE_SECRETS
          example: PRODUCT_TYPE_SAST
          format: enum
          type: string
        slug:
          description: Sanitized machine-readable name of the Policy.
          example: global_policy
          type: string
      title: Policy
      type: object
    protos.common.v1.Rule:
      properties:
        category:
          description: Category the Rule is associated with.
          example: security
          type: string
        confidence:
          description: |+
            Confidence based on the Rule's false-positive rate.

            | value | description |
            |-------|---------------|
            | CONFIDENCE_HIGH |  |
            | CONFIDENCE_MEDIUM |  |
            | CONFIDENCE_LOW |  |

          enum:
            - CONFIDENCE_HIGH
            - CONFIDENCE_MEDIUM
            - CONFIDENCE_LOW
          example: CONFIDENCE_HIGH
          format: enum
          type: string
        cweCategories:
          description: The CWE associated with the Rule.
          example:
            - 'CWE-918: Server-Side Request Forgery (SSRF)'
          items:
            type: string
          type: array
        hasValidators:
          description: When True, the secrets rule has validators.
          type: boolean
        id:
          description: ID of the Rule.
          format: int64
          type: string
        languages:
          description: Languages the Rule applies to.
          example:
            - python
          items:
            type: string
          type: array
        lastChangeAt:
          description: Timestamp of when the Rule was last changed.
          example: '2024-07-29T22:33:37.380Z'
          format: date-time
          type: string
        lastChangeBy:
          description: Username of who last changed the Rule.
          type: string
        owaspCategories:
          description: Owasp categories the Rule is associated with.
          example:
            - 'A07: Cross-Site Scripting (XSS)'
          items:
            type: string
          type: array
        path:
          description: Full path of the Rule.
          example: python.rule.1
          type: string
        policyMode:
          description: >+
            Mode behavior: Monitor / Comment / Block / Disabled


            | value | description |

            |-------|---------------|

            | MODE_MONITOR | Monitor mode, silently report findings |

            | MODE_COMMENT | Comment mode, leaves PR comments but does not block
            |

            | MODE_BLOCK | Block mode, leaves PR comments and blocks PR |

            | MODE_DISABLED | Disabled mode, not active |

          enum:
            - MODE_MONITOR
            - MODE_COMMENT
            - MODE_BLOCK
            - MODE_DISABLED
          example: MODE_BLOCK
          format: enum
          type: string
        registryMaintainer:
          description: The Registry maintainer associated with the Rule (if applicable).
          example: semgrep
          type: string
        rulesets:
          description: Rulesets to which the Rule belongs (if applicable).
          example: []
          items:
            type: string
          type: array
        secretType:
          description: The secret type (if applicable).
          type: string
        severity:
          description: |+
            Severity level ("seriousness" of the finding)

            | value | description |
            |-------|---------------|
            | SEVERITY_HIGH |  |
            | SEVERITY_MEDIUM |  |
            | SEVERITY_LOW |  |
            | SEVERITY_CRITICAL |  |

          enum:
            - SEVERITY_HIGH
            - SEVERITY_MEDIUM
            - SEVERITY_LOW
            - SEVERITY_CRITICAL
          example: SEVERITY_HIGH
          format: enum
          type: string
        source:
          description: |+
            Source of the Rule

            | value | description |
            |-------|---------------|
            | SOURCE_PRO | From Pro rules |
            | SOURCE_COMMUNITY | From Semgrep Community rules |
            | SOURCE_CUSTOM | From Custom rules |

          enum:
            - SOURCE_PRO
            - SOURCE_COMMUNITY
            - SOURCE_CUSTOM
          example: SOURCE_COMMUNITY
          format: enum
          type: string
        technologies:
          description: Technologies the Rule is associated with.
          example:
            - django
            - flask
          items:
            type: string
          type: array
        url:
          description: The URL of the Rule.
          type: string
        vulnerabilityClass:
          description: Vulnerability classes the Rule is associated with.
          example: Improper Authentication
          items:
            type: string
          type: array
      title: Rule
      type: object
  securitySchemes:
    SemgrepWebToken:
      bearerFormat: string
      description: >-
        Get access to data with your API token. Example header:


        `Authorization: Bearer
        2991e2fb4b540fe75b8f90677b0b892b6314e4961cb001fe6eb452eee248a628`


        The token can be provisioned from the Tokens section in your Settings,
        and requires explicitly enabling `Web API` access.
      scheme: bearer
      type: http

````