validate policy

Use this command to validate a rego policy

Use the command endorctl validate policy to validate a rego policy against data for a specified project.


To verify that a rego policy is correctly formatted:

  1. First, select a rego policy. Lets take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this as test_policy.rego.
package example

match_package_version[result] {
  some i, j
  data.resources.Metric[i] == "package_version_scorecard"
  data.resources.Metric[i].meta.parent_kind == "PackageVersion"
  data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
  score := data.resources.Metric[i].spec.metric_values["scorecard"].score_card.overall_score
  score < 7

  result = {
    "Endor": {
      "PackageVersion": data.resources.Metric[i].meta.parent_uuid,
    "Score": sprintf("%v", [score])
  1. Next validate that the policy is correctly formatted.
endorctl validate policy --policy test_policy.rego

To validate the policy against real data:

endorctl validate policy --policy test_policy.rego --query "data.example.match_package_version" --uuid $PROJECT_UUID


The endorctl validate policy command uses the following flags and environment variables:

Flag Environment Variable Description
input ENDOR_VALIDATE_POLICY_INPUT_FILE_PATH Path to a json file containing the input parameter values, if applicable.
output-type ENDOR_VALIDATE_POLICY_SUMMARY_OUTPUT_TYPE Set output format (json, yaml, or table) (default table).
policy ENDOR_VALIDATE_POLICY_FILE_PATH Path to a text (plain Rego rule), json (one Policy), or yaml (one or more Policies or PolicyTemplates) file containing the policy(ies) to be validated.
pr-baseline ENDOR_VALIDATE_POLICY_PR_BASELINE Name of baseline version to load data from.
pr-uuid ENDOR_VALIDATE_POLICY_PR_UUID PR scan to load data from.
query ENDOR_VALIDATE_POLICY_QUERY_STATEMENTS Query statement for this policy (e.g. data.packagename.allow) - Only needed for plain text Rego rules.
resource-kinds ENDOR_VALIDATE_POLICY_RESOURCE_KINDS Resource kinds required by this policy (e.g. PackageVersion,Metric) - Only needed for plain text Rego rules.
uuid ENDOR_VALIDATE_POLICY_PROJECT_UUID UUID of project to load data from.