A method utilizes a policy engine for supply chain security analysis. The method includes processing programming code, written in an imperative programming language, using a fact collector to instantiate a programming object representing a set of facts of a build system that includes an artifact. The method further includes processing the programming object using a mapper to expose the set of facts as a fact database. The method further includes evaluating a policy, written in a declarative programming language, and the fact database using a policy engine to construct a result corresponding to the artifact of the build system. The method further includes presenting the result with a supply chain security analysis of the artifact.