conforma · fullsend-ai-coder · Jun 19, 2026
diff --git a/antora/docs/modules/ROOT/pages/packages/release_cve.adoc b/antora/docs/modules/ROOT/pages/packages/release_cve.adoc
@@ -4,9 +4,36 @@ This package is responsible for verifying a CVE scan was performed during the bu
 
 The behaviour of the rules in this package is influenced by rule data. Firstly the rules can be configured to emit violations or warnings based on the availability of the vulnerability fix: patched -- if there is a remediation available, e.g. new version with a fix, or unpatched -- if there is, currently, no remidiation available. Secondly per severity: critical, high, medium, low or unknown choice can be made of the rule outcome: failure or warning. And lastly, per severity, choice can be made of how many leeway days are allowed before a vulnerability causing a failure will be reported as a warning instead.
 
-In the following example if rule data configuration, failures will be reported for critical and high patched vulnerabilities, for critical unpatched vulnerabilities only, warnings will be reported for medium and low patched, and for high and medium unpatched vulnerabilities. For critical and high patched vulnerabilities a leeway of 10 days is allowed.
+== Default values
 
-.Example rule data
+The following are the default values for each rule data key. These defaults are defined in https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/lib/rule_data/rule_data.rego[rule_data.rego] and are used when no custom rule data is provided.
+
+.Default rule data
+[source,yaml]
+----
+restrict_cve_security_levels:
+  - critical
+  - high
+
+warn_cve_security_levels: []
+restrict_unpatched_cve_security_levels: []
+warn_unpatched_cve_security_levels:
+  - critical
+  - high
+
+cve_leeway:
+  critical: 0
+  high: 0
+  medium: 0
+  low: 0
+  unknown: 0
+----
+
+== Customization example
+
+In the following example of rule data configuration, failures will be reported for critical and high patched vulnerabilities, for critical unpatched vulnerabilities only, warnings will be reported for medium and low patched, and for high and medium unpatched vulnerabilities. For critical and high patched vulnerabilities a leeway of 10 days is allowed.
+
+.Example rule data (non-default)
 [source,yaml]
 ----
 restrict_cve_security_levels:
@@ -41,7 +68,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Found %q vulnerability of %s security level`
 * Code: `cve.cve_blockers`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L115[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L154[Source, window="_blank"]
 
 [#cve__unpatched_cve_blockers]
 === link:#cve__unpatched_cve_blockers[Blocking unpatched CVE check]
@@ -53,7 +80,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Found %q unpatched vulnerability of %s security level`
 * Code: `cve.unpatched_cve_blockers`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L149[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L188[Source, window="_blank"]
 
 [#cve__cve_results_found]
 === link:#cve__cve_results_found[CVE scan results found]
@@ -65,7 +92,7 @@ Confirm that CVE scan task results (Clair or TPA) are present in the SLSA Proven
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `CVE scan results were not found`
 * Code: `cve.cve_results_found`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L185[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L224[Source, window="_blank"]
 
 [#cve__cve_warnings]
 === link:#cve__cve_warnings[Non-blocking CVE check]
@@ -77,7 +104,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that h
 * Rule type: [rule-type-indicator warning]#WARNING#
 * WARNING message: `Found %q non-blocking vulnerability of %s security level`
 * Code: `cve.cve_warnings`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L60[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L99[Source, window="_blank"]
 
 [#cve__unpatched_cve_warnings]
 === link:#cve__unpatched_cve_warnings[Non-blocking unpatched CVE check]
@@ -89,7 +116,7 @@ The SLSA Provenance attestation for the image is inspected to ensure CVEs that d
 * Rule type: [rule-type-indicator warning]#WARNING#
 * WARNING message: `Found %q non-blocking unpatched vulnerability of %s security level`
 * Code: `cve.unpatched_cve_warnings`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L87[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L126[Source, window="_blank"]
 
 [#cve__rule_data_provided]
 === link:#cve__rule_data_provided[Rule data provided]
@@ -101,4 +128,4 @@ Confirm the expected rule data keys have been provided in the expected format. T
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `cve.rule_data_provided`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L215[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/cve/cve.rego#L254[Source, window="_blank"]
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -376,9 +376,36 @@ a| This package is responsible for verifying a CVE scan was performed during the
 
 The behaviour of the rules in this package is influenced by rule data. Firstly the rules can be configured to emit violations or warnings based on the availability of the vulnerability fix: patched -- if there is a remediation available, e.g. new version with a fix, or unpatched -- if there is, currently, no remidiation available. Secondly per severity: critical, high, medium, low or unknown choice can be made of the rule outcome: failure or warning. And lastly, per severity, choice can be made of how many leeway days are allowed before a vulnerability causing a failure will be reported as a warning instead.
 
-In the following example if rule data configuration, failures will be reported for critical and high patched vulnerabilities, for critical unpatched vulnerabilities only, warnings will be reported for medium and low patched, and for high and medium unpatched vulnerabilities. For critical and high patched vulnerabilities a leeway of 10 days is allowed.
+== Default values
 
-.Example rule data
+The following are the default values for each rule data key. These defaults are defined in https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/lib/rule_data/rule_data.rego[rule_data.rego] and are used when no custom rule data is provided.
+
+.Default rule data
+[source,yaml]
+----
+restrict_cve_security_levels:
+  - critical
+  - high
+
+warn_cve_security_levels: []
+restrict_unpatched_cve_security_levels: []
+warn_unpatched_cve_security_levels:
+  - critical
+  - high
+
+cve_leeway:
+  critical: 0
+  high: 0
+  medium: 0
+  low: 0
+  unknown: 0
+----
+
+== Customization example
+
+In the following example of rule data configuration, failures will be reported for critical and high patched vulnerabilities, for critical unpatched vulnerabilities only, warnings will be reported for medium and low patched, and for high and medium unpatched vulnerabilities. For critical and high patched vulnerabilities a leeway of 10 days is allowed.
+
+.Example rule data (non-default)
 [source,yaml]
 ----
 restrict_cve_security_levels:

diff --git a/policy/release/cve/cve.rego b/policy/release/cve/cve.rego
@@ -18,14 +18,53 @@
 #   as a warning instead.
 #
 #
-#   In the following example if rule data configuration, failures will be
+#   == Default values
+#
+#
+#   The following are the default values for each rule data key. These defaults
+#   are defined in
+#   https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/lib/rule_data/rule_data.rego[rule_data.rego]
+#   and are used when no custom rule data is provided.
+#
+#
+#   .Default rule data
+#
+#   [source,yaml]
+#
+#   ----
+#
+#   restrict_cve_security_levels:
+#     - critical
+#     - high
+#
+#   warn_cve_security_levels: []
+#
+#   restrict_unpatched_cve_security_levels: []
+#
+#   warn_unpatched_cve_security_levels:
+#     - critical
+#     - high
+#
+#   cve_leeway:
+#     critical: 0
+#     high: 0
+#     medium: 0
+#     low: 0
+#     unknown: 0
+#   ----
+#
+#
+#   == Customization example
+#
+#
+#   In the following example of rule data configuration, failures will be
 #   reported for critical and high patched vulnerabilities, for critical
 #   unpatched vulnerabilities only, warnings will be reported for medium and low
 #   patched, and for high and medium unpatched vulnerabilities. For critical and
 #   high patched vulnerabilities a leeway of 10 days is allowed.
 #
 #
-#   .Example rule data
+#   .Example rule data (non-default)
 #
 #   [source,yaml]
 #