validate policy
Use this command to validate a rego policy
Use the command endorctl validate policy to validate a rego policy against data for a specified project.
Usage
To verify that a rego policy is correctly formatted:
-
First, select a rego policy. Lets take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this as test_policy.rego.
package example match_package_version_score[result] { some i data.resources.Metric[i].meta.name == "package_version_scorecard" data.resources.Metric[i].meta.parent_kind == "PackageVersion" data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid score := data.resources.Metric[i].spec.metric_values.scorecard.score_card.overall_score score < 7 result = { "Endor": { "PackageVersion": data.resources.Metric[i].meta.parent_uuid, }, "Score": sprintf("%v", [score]) } } -
Next validate that the policy is correctly formatted.
endorctl validate policy --policy test_policy.rego
To validate the policy against real data:
endorctl validate policy --policy test_policy.rego --query "data.example.match_package_version_score" --uuid $PROJECT_UUID
Options
The endorctl validate policy command uses the following flags and environment variables:
| Flag | Environment Variable | Description |
|---|---|---|
filter |
ENDOR_VALIDATE_POLICY_PROJECT_FILTER |
Filter for projects to load data from. For example, meta.tags contains 'sanity'. |
input |
ENDOR_VALIDATE_POLICY_INPUT_FILE_PATH |
Path to a json file containing the input parameter values, if applicable. |
output-type |
ENDOR_VALIDATE_POLICY_SUMMARY_OUTPUT_TYPE |
Set output format (json, yaml, or table) (default table). |
policy |
ENDOR_VALIDATE_POLICY_FILE_PATH |
Path to a text (plain Rego rule), json (one Policy), or yaml (one or more Policies or PolicyTemplates) file containing the policy(ies) to be validated. |
pr-baseline |
ENDOR_VALIDATE_POLICY_PR_BASELINE |
Name of baseline version to load data from. |
pr-uuid |
ENDOR_VALIDATE_POLICY_PR_UUID |
PR scan to load data from. |
query |
ENDOR_VALIDATE_POLICY_QUERY_STATEMENTS |
Query statement for this policy (for example, data.packagename.allow) - Only needed for plain text Rego rules. |
resource-kinds |
ENDOR_VALIDATE_POLICY_RESOURCE_KINDS |
Resource kinds required by this policy (for example, PackageVersion,Metric) - Only needed for plain text Rego rules. |
uuid |
ENDOR_VALIDATE_POLICY_PROJECT_UUID |
UUID of project to load data from. |
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.