update docs to reflect that CVEs can now be a condition of SSC policies (#2205)

khorne3 · web-flow · commit ab4a71271c85 · 2025-06-24T10:29:30.000-05:00
* add CVE as a Supply Chain policy condition

* edit text

* update description
diff --git a/docs/semgrep-supply-chain/policies.md b/docs/semgrep-supply-chain/policies.md
@@ -86,6 +86,7 @@ The following table lists available conditions and their values:
 | Upgrade availability         | <ul> <li>Upgrade available</li> <li>Upgrade unavailable</li> </ul>       |
 | [Transitivity](/semgrep-supply-chain/glossary#transitivity)  | <ul><li>Direct</li> <li>Transitive</li></ul> |
 | [EPSS probability](/semgrep-supply-chain/glossary#epss-probability)  | <ul> <li>High</li><li>Medium</li><li>Low</li><li>None</li> </ul>   |
+| [CVE](https://www.cve.org/) | Manually provide a CVE ID, formatted as `CVE-YYYY-NNNN+` or choose from a list of values. The values listed are generated from findings identified by Semgrep Supply Chain.  |
 
 ## Other operations
 
