Configure how ops0 enforces compliance policies across different project types. Enforcement settings control whether policy violations block deployments, which projects are checked, and which policy groups apply by default.
The Compliance settings page uses a tab switcher to separate enforcement settings by project type:
| Tab | What it covers |
|---|---|
| IaC | Terraform, OpenTofu, Oxid, and CloudFormation deployments |
| Configurations | Ansible playbook deployments |
| Kubernetes | Kubernetes manifest deployments and Kyverno policy enforcement |
Each tab has fully independent settings — enabling enforcement on IaC does not affect Configurations or Kubernetes, and vice versa.
Each tab also shows a brief "How it works" explanation panel at the top describing what enforcement means for that specific project type.
Go to Settings → Compliance.
Click the IaC, Configurations, or Kubernetes tab.
Toggle Enable Enforcement to on.
Select how violations affect deployments (see below).
Choose All Projects or Selected Projects.
Select the default policy groups to apply. Policy groups are created in Policies.
Click Save Compliance Settings.
The blocking level controls what happens when a policy violation is detected:
| Level | Behavior |
|---|---|
| Error | Only error-severity violations block the deployment. Warnings and advisories are shown but don't block. |
| Warning | Both error and warning-severity violations block the deployment. |
| All | All violations (including advisory/info) block the deployment. |
Choose Error for production environments where only critical violations should stop a deployment. Use All for environments where you want strict zero-tolerance enforcement.
| Scope | Description |
|---|---|
| All projects | Enforcement applies to every project of that type in the org |
| Selected projects | Enforcement applies only to the specific projects you choose |
When Selected projects is chosen, a project picker appears below the scope selector. Search for and select specific projects. The picker shows all projects of the current type with their names and last-updated timestamps. Projects not selected here can still have policies attached directly via the Policies section — scope only controls which projects receive the default policy groups configured in Compliance Settings.
The policy groups list shows each group with its current state:
| Badge | Meaning |
|---|---|
| (no badge) | Group is enabled and will be enforced |
| Disabled | Group exists but has been toggled off — it will not enforce until re-enabled |
Disabled groups are shown in the list so you know they are configured but inactive. Enable them from Policies → Policy Groups.
Policy groups bundle multiple individual policies into a named set. Assigning a policy group here applies all its policies to every project in scope automatically — no need to attach policies individually.
See Creating Policies to build and manage policy groups.
Projects can have additional policies attached directly, independent of these org-wide settings. A project's effective policies are the union of:
ops0 can generate a PDF compliance report for your organization. Navigate to Settings → Compliance → Generate Report to produce a point-in-time report covering:
