Skip to main content
Policy-as-Code lets you define your PromptGuard guardrail configuration in YAML files, version them in git, and apply them via the CLI. This enables code review, audit trails, and reproducible deployments for your security policies.

Overview

Instead of configuring guardrails through the dashboard UI, define them declaratively: 
# policy.yaml
guardrails:
  prompt_injection:
    level: strict
  pii_detection:
    level: strict
    mode: redact
  data_exfiltration:
    level: moderate
  toxicity:
    threshold: 0.7
  secret_key_detection:
    level: moderate

CLI Commands

Export Current Config

Fetch the live guardrail config and output as YAML: 
promptguard policy export --project-id proj_abc123 > policy.yaml

Preview Changes

Compare a YAML file against the live config to see what would change: 
promptguard policy diff policy.yaml --project-id proj_abc123
Output: 
Comparing policy.yaml against live config...

Differences:

  prompt_injection.level:
    - "moderate"
    + "strict"
  toxicity.threshold:
    - 0.8
    + 0.7

Apply Changes

Apply a YAML policy file to update the live config: 
# Preview first
promptguard policy apply policy.yaml --project-id proj_abc123 --dry-run

# Apply for real
promptguard policy apply policy.yaml --project-id proj_abc123

Validation

The CLI validates your YAML before applying:
  • Level fields must be strict, moderate, or permissive
  • PII mode must be redact, mask, or block
  • Toxicity threshold must be a number between 0.0 and 1.0
  • YAML syntax is validated before any API calls
Invalid policies are rejected with clear error messages: 
Policy validation failed:
  guardrails.prompt_injection.level: Must be one of {"strict", "moderate", "permissive"}
  guardrails.toxicity.threshold: Must be a number between 0.0 and 1.0

Workflow

Development Workflow

# 1. Export current config as baseline
promptguard policy export --project-id proj_abc > policy.yaml

# 2. Edit policy.yaml in your editor
# 3. Review changes
promptguard policy diff policy.yaml --project-id proj_abc

# 4. Commit to git
git add policy.yaml
git commit -m "Tighten injection detection to strict"

# 5. Apply in CI/CD or manually
promptguard policy apply policy.yaml --project-id proj_abc

CI/CD Integration

Apply policies automatically on merge: 
# .github/workflows/policy.yml
name: Apply Security Policy
on:
  push:
    branches: [main]
    paths: ['policy.yaml']

jobs:
  apply:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install CLI
        run: curl -fsSL https://get.promptguard.co/cli | bash
      - name: Apply policy
        run: promptguard policy apply policy.yaml --project-id ${{ secrets.PROJECT_ID }}
        env:
          PROMPTGUARD_API_KEY: ${{ secrets.PROMPTGUARD_API_KEY }}

Best Practices

  1. Version everything: Keep policy.yaml in git alongside your application code
  2. Code review policies: Require PR approval for policy changes
  3. Diff before apply: Always run policy diff before policy apply
  4. Use dry-run in CI: Validate policies in CI before merging
  5. Environment-specific configs: Maintain separate policy files for staging and production

Next Steps

CLI Reference

Full CLI command reference

Security Overview

All security capabilities