Skip to main content
The veto policy apply command deploys policy files to your local environment or Veto Cloud.

Syntax

veto policy apply --file <path> [options]

Description

Applies a policy YAML file by:
  • Local: Validates and loads rules into local Veto instance
  • Cloud: Pushes rules to Veto Cloud (creates draft for review)

Required Options

File Path

--file <path>
Path to policy YAML file to apply. Example: 
--file ./veto/rules/financial.yaml

Optional Settings

Target

--target <local|cloud>
Where to apply the policy:
  • local - Apply to local Veto instance (default)
  • cloud - Push to Veto Cloud
Example: 
--target cloud

Project ID

--project <id>
Veto Cloud project ID (required for cloud target). Example: 
--project proj_abc123

JSON Output

--json
Output result as JSON instead of human-readable text. Example: 
--json

Examples

Apply Locally (Default)

veto policy apply --file ./veto/rules/financial.yaml
Output: 
Applying policy: financial.yaml

✓ Parsed 3 rules
✓ Validated schema
✓ Applied to local instance

Rules:
  - block-large-transfers (severity: critical)
  - require-approval-over-1000 (severity: high)
  - log-all-transactions (severity: low)

Local policy updated successfully.

Apply to Cloud

veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud \
  --project proj_abc123
Output: 
Applying policy to Veto Cloud: financial.yaml

✓ Authenticated with Veto Cloud
✓ Parsed 3 rules
✓ Validated schema
✓ Created draft policy

Draft ID: draft_xyz789
Review at: https://app.veto.so/policies/draft/xyz789

Next steps:
  1. Review the draft in Veto Cloud
  2. Approve to activate
  3. Or make changes and re-apply

Apply Multiple Files

Use shell globbing or multiple commands: 
# Apply all YAML files in rules directory
for file in veto/rules/*.yaml; do
  veto policy apply --file "$file"
done

Apply with JSON Output

veto policy apply --file ./veto/rules/financial.yaml --json
Output: 
{
  "ok": true,
  "data": {
    "target": "local",
    "filePath": "./veto/rules/financial.yaml",
    "rulesApplied": 3,
    "rules": [
      {
        "id": "block-large-transfers",
        "name": "Block Large Transfers",
        "severity": "critical",
        "enabled": true
      },
      {
        "id": "require-approval-over-1000",
        "name": "Require Approval Over $1000",
        "severity": "high",
        "enabled": true
      },
      {
        "id": "log-all-transactions",
        "name": "Log All Transactions",
        "severity": "low",
        "enabled": true
      }
    ]
  }
}

Validation

Before applying, the command validates:

Schema Validation

  • YAML syntax is correct
  • Required fields are present
  • Field types are correct
  • Operators are valid

Semantic Validation

  • Rule IDs are unique
  • Tool names are valid
  • Conditions reference valid fields
  • Dependency rules exist

Example Validation Error

veto policy apply --file ./veto/rules/broken.yaml
Output: 
Error: Policy validation failed

File: ./veto/rules/broken.yaml
Line 8: Missing required field 'action'
Line 12: Invalid operator 'invalid_op' - must be one of: equals, not_equals, contains, not_contains, greater_than, less_than

Fix these errors and try again.

Cloud Workflow

1. Authenticate

First, log in to Veto Cloud: 
veto cloud login

2. Select Project

Set active project: 
veto cloud project use proj_abc123

3. Apply Policy

Push policy to cloud: 
veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud

4. Review Draft

Review the draft in Veto Cloud web UI: 
https://app.veto.so/policies/draft/xyz789

5. Approve or Iterate

  • Approve: Draft becomes active policy
  • Iterate: Make changes and re-apply

File Format

Policy files use YAML format: 
rules:
  - id: unique-rule-id
    name: Human Readable Name
    description: What this rule does
    enabled: true
    severity: high
    action: block  # block, require_approval, allow
    tools:
      - tool_name
    conditions:
      - field: arguments.amount
        operator: greater_than
        value: 1000

Common Scenarios

Apply After Generation

# Generate policy
veto policy generate \
  --tool transfer_funds \
  --prompt "block transfers over $500" \
  --save ./veto/rules/financial.yaml

# Apply locally
veto policy apply --file ./veto/rules/financial.yaml

# Test it
veto guard check --tool transfer_funds --args '{"amount": 600}'

Update Existing Policy

# Edit policy file
vim ./veto/rules/financial.yaml

# Re-apply (overwrites previous version)
veto policy apply --file ./veto/rules/financial.yaml

# Verify changes
veto scan

Deploy to Production (Cloud)

# Apply to cloud
veto policy apply \
  --file ./veto/rules/financial.yaml \
  --target cloud \
  --project proj_prod_123

# Monitor application logs for policy decisions
veto cloud logs --project proj_prod_123

Troubleshooting

File Not Found

veto policy apply --file ./missing.yaml
Output: 
Error: File not found: ./missing.yaml
Solution: 
# Check file path
ls ./veto/rules/

# Use correct path
veto policy apply --file ./veto/rules/financial.yaml

Invalid YAML

Error: Failed to parse YAML: Unexpected token
Solution: 
# Validate YAML syntax
yamllint ./veto/rules/financial.yaml

# Or use online validator
cat ./veto/rules/financial.yaml | pbcopy
# Paste into https://www.yamllint.com/

Cloud Authentication Failed

Error: Cloud authentication failed: No credentials found
Solution: 
# Log in to Veto Cloud
veto cloud login

# Or set API key
export VETO_API_KEY=your-key-here

# Try again
veto policy apply --file ./veto/rules/financial.yaml --target cloud

Rule ID Conflict

Error: Rule ID 'block-large-transfers' already exists
Solution:
  • Change rule ID to be unique
  • Or remove existing rule first
  • Or overwrite with --force (if available)

Best Practices

1. Version Control

Commit policy files to git: 
git add veto/rules/
git commit -m "Add financial policies"

2. Test Locally First

# Always test locally before cloud
veto policy apply --file ./veto/rules/new.yaml --target local
veto guard check --tool <name> --args '{}'

# Then push to cloud
veto policy apply --file ./veto/rules/new.yaml --target cloud

3. Use Meaningful Filenames

# Good
veto/rules/financial-transfers.yaml
veto/rules/email-security.yaml
veto/rules/database-access.yaml

# Bad
veto/rules/policy1.yaml
veto/rules/rules.yaml
veto/rules/stuff.yaml

4. Document Your Rules

Add clear descriptions: 
rules:
  - id: block-large-transfers
    name: Block Large Transfers
    description: |
      Prevents financial transfers over $10,000 to protect against
      unauthorized large transactions. Added after incident #1234.
      Last updated: 2024-03-01

5. Organize by Domain

veto/rules/
  financial/
    transfers.yaml
    invoices.yaml
  communication/
    email.yaml
    slack.yaml
  security/
    access-control.yaml
    data-protection.yaml

Next Steps

Build docs developers (and LLMs) love

Get started for freeTalk to us