Enforcing policies

WARNING

This feature is only available on the Enterprise plan.

Policy enforcement allows you to automatically apply policies to your Protobuf modules, ensuring they adhere to organizational standards and best practices. An enforcement is the application of a policy to a specific scope (BSR instance, organization, or repository) and targets (glob rules that match labels within the scope).

When an enforcement is created, each commit within the specified targets is automatically checked against the policy. If a commit doesn't conform to the policy, the system:

Outputs violations with detailed error information
Triggers the BSR review flow for manual resolution
Blocks labels from resolving to the commit until errors are resolved or approved

Prerequisites

Enterprise plan subscription
Admin access to your BSR instance, organization, or repository (depending on enforcement scope)
A policy uploaded to the BSR (see quickstart guide)

Creating enforcements

To set up policy enforcement, you need to create an enforcement that defines:

Scope: Where the policy applies (instance-wide, organization, or module)
Policy: Which policy to enforce (optional with a specific reference)
Targets: Which organizations and modules the policy applies to (using glob patterns)

A policy must be uploaded to the BSR before it can be enforced. See the quickstart guide for details on creating and uploading policies.

Enforcement scopes

Instance-wide enforcement: Applies to all repositories across your BSR instance. Use this for company-wide standards that all teams must follow.

Organization enforcement: Applies to all repositories within a specific organization. Use this for team-specific rules that supplement instance-wide policies.

Repository enforcement: Applies to a single repository. Use this for project-specific requirements.

Defining targets

Targets use glob patterns to match within your scope:

*: Match all
main: Match any with the exact "main" name
release-*: Match any with the prefix "release-"

Setting up enforcement

Navigate to the scope where you want to enforce your policy (BSR instance admin panel, Organization settings, or Repository settings)
Go to Policy Enforcement settings
Click Create Enforcement
Configure:
- Policy: Select your uploaded policy (with an optional specific reference)
- Targets: Define glob patterns for matching
Save the enforcement

Once created, the enforcement will automatically apply to new commits in the default label of the repositories that match your target criteria.

Resolving violations

When violations occur:

Review: Check the violation details in the BSR or CLI output
Fix: Update your Protobuf files to address the rule violations
Push: Commit and push your changes
Monitor: Verify the commit passes enforcement in the BSR

Managing enforcement

Updating enforcement

To modify an existing enforcement:

Navigate to the scope of the Policy Enforcement you want to update (BSR instance admin panel, Organization settings, or Repository settings)
Select the enforcement to modify
Update the policy, the policy reference, or targets as needed
Save changes

Because policies are additive, a repository may need to satisfy multiple policies from different scopes.

Generate code

Detect breaking changes

Lint Protobuf files

Format Protobuf files

Build your Protobuf schema

Commands

Beta

Registry

Config

Dep

Plugin

Registry

Module

Organization

Plugin

Sdk

v2

v1

v1beta

Integrate with CI/CD

Consume generated SDKs

Remote plugins

Buf check plugins

Enforce checks

Use the BSR's Confluent Schema Registry

SCIM

CLI commands

Admin

Clean

Repair

Client

Enforcing policies ​

Prerequisites ​

Creating enforcements ​

Enforcement scopes ​

Defining targets ​

Setting up enforcement ​

Resolving violations ​

Managing enforcement ​

Updating enforcement ​