validate policy
Use this command to validate a rego policy
Use the command endorctl validate policy
to validate a rego policy against data for a specified project.
Usage
To verify that a rego policy is correctly formatted:
- First, select a rego policy. Lets take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this as test_policy.rego.
package example
match_package_version[result] {
some i, j
data.resources.Metric[i].meta.name == "package_version_scorecard"
data.resources.Metric[i].meta.parent_kind == "PackageVersion"
data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
score := data.resources.Metric[i].spec.metric_values["scorecard"].score_card.overall_score
score < 7
result = {
"Endor": {
"PackageVersion": data.resources.Metric[i].meta.parent_uuid,
},
"Score": sprintf("%v", [score])
}
}
- Next validate that the policy is correctly formatted.
endorctl validate policy --policy test_policy.rego
To validate the policy against real data:
endorctl validate policy --policy test_policy.rego --query "data.example.match_package_version" --uuid $PROJECT_UUID
Options
The endorctl validate policy
command uses the following flags and environment variables:
Flag | Environment Variable | Description |
---|---|---|
input |
ENDOR_VALIDATE_POLICY_INPUT_FILE_PATH |
Path to a json file containing the input parameter values, if applicable. |
output-type |
ENDOR_VALIDATE_POLICY_SUMMARY_OUTPUT_TYPE |
Set output format (json , yaml , or table ) (default table ). |
policy |
ENDOR_VALIDATE_POLICY_FILE_PATH |
Path to a text (plain Rego rule), json (one Policy), or yaml (one or more Policies or PolicyTemplates) file containing the policy(ies) to be validated. |
pr-baseline |
ENDOR_VALIDATE_POLICY_PR_BASELINE |
Name of baseline version to load data from. |
pr-uuid |
ENDOR_VALIDATE_POLICY_PR_UUID |
PR scan to load data from. |
query |
ENDOR_VALIDATE_POLICY_QUERY_STATEMENTS |
Query statement for this policy (e.g. data.packagename.allow ) - Only needed for plain text Rego rules. |
resource-kinds |
ENDOR_VALIDATE_POLICY_RESOURCE_KINDS |
Resource kinds required by this policy (e.g. PackageVersion,Metric ) - Only needed for plain text Rego rules. |
uuid |
ENDOR_VALIDATE_POLICY_PROJECT_UUID |
UUID of project to load data from. |
Feedback
Was this page helpful? Send your feedback to support@endor.ai