validate policy

Use this command to validate a rego policy

Use the command endorctl validate policy to validate a rego policy against data for a specified project.

Usage

To verify that a rego policy is correctly formatted:

First, select a rego policy. Lets take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this as test_policy.rego.

package example

match_package_version[result] {
  some i, j
  data.resources.Metric[i].meta.name == "package_version_scorecard"
  data.resources.Metric[i].meta.parent_kind == "PackageVersion"
  data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
  score := data.resources.Metric[i].spec.metric_values["scorecard"].score_card.overall_score
  score < 7

  result = {
    "Endor": {
      "PackageVersion": data.resources.Metric[i].meta.parent_uuid,
    },
    "Score": sprintf("%v", [score])
  }
}

Next validate that the policy is correctly formatted.

endorctl validate policy --policy test_policy.rego

To validate the policy against real data:

endorctl validate policy --policy test_policy.rego --query "data.example.match_package_version" --uuid $PROJECT_UUID

Options

The endorctl validate policy command uses the following flags and environment variables:

Flag	Environment Variable	Description
`input`	`ENDOR_VALIDATE_POLICY_INPUT_FILE_PATH`	Path to a json file containing the input parameter values, if applicable.
`output-type`	`ENDOR_VALIDATE_POLICY_SUMMARY_OUTPUT_TYPE`	Set output format (`json`, `yaml`, or `table`) (default `table`).
`policy`	`ENDOR_VALIDATE_POLICY_FILE_PATH`	Path to a text (plain Rego rule), json (one Policy), or yaml (one or more Policies or PolicyTemplates) file containing the policy(ies) to be validated.
`pr-baseline`	`ENDOR_VALIDATE_POLICY_PR_BASELINE`	Name of baseline version to load data from.
`pr-uuid`	`ENDOR_VALIDATE_POLICY_PR_UUID`	PR scan to load data from.
`query`	`ENDOR_VALIDATE_POLICY_QUERY_STATEMENTS`	Query statement for this policy (e.g. `data.packagename.allow`) - Only needed for plain text Rego rules.
`resource-kinds`	`ENDOR_VALIDATE_POLICY_RESOURCE_KINDS`	Resource kinds required by this policy (e.g. `PackageVersion,Metric`) - Only needed for plain text Rego rules.
`uuid`	`ENDOR_VALIDATE_POLICY_PROJECT_UUID`	UUID of project to load data from.

Feedback

Was this page helpful? Send your feedback to support@endor.ai