Giters

gtrivedi88 / ec-policies

Rego policies related to HACBS Enterprise Contract

Home Page:https://hacbs-contract.github.io/ec-policies/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ec-policies

Rego policies related to the HACBS Enterprise Contract.

Getting started for developers

Makefile

The Makefile contains a lot of useful scripts and commands. Run make by itself to see the help.

Dependencies

Three tools are required, conftest, opa, and gomplate.

You should be able to install them like this:

make install-tools

If that doesn't work, installing them manually and making sure they're available in your path should be fine.

An optional but useful tool for running tests while developing, (with make live-test), is entr. You can install it with dnf:

sudo dnf install entr

And of course you need make if you don't have it already:

sudo dnf install make

Formatting

The rego files should be formatted using the standard format. To apply the standard format run this before committing:

make fmt

Building the docs

The documentation in docs/index.md is generated from docs.tmpl and from the annotations in the rego files themselves. Update the docs like this:

make build-docs

Running tests

From the top level directory you can run all tests and formatting checks, as well as check that the docs are up to date, like this:

make ci

You can run a single test like this:

opa test . -r <test_name_matcher>

The <test_name_matcher> is a regex, so you can use it to run more than one test.

See Makefile for other ways to run the tests.

Writing tests

Policies must have unit tests validating them. All test files must adhere to the naming convention:

file.rego
file_test.rego

Refer to the policy testing docs for more information.

The CI also enforces that there is 100% test coverage. If you're not at 100% you can use this to show what lines of code are not covered:

make coverage

Running the policies against real data

Fetch an image attestation from a registry:

make fetch-att
more input/input.json # to look at it

or:

make fetch-att IMAGE=<some-image-with-an-attestation-ref>

Create a dummy policy config file:

make dummy-config
cat data/config.json # to look at it

Now run the policies against the attestation data:

make conftest-check

or:

make check # uses opa

Documentation

There is some documentation about the policy rules available here. Its source is docs/index.md in branch main. There is also an asciidoc version available at docs/index.adoc.

See also

About

Rego policies related to HACBS Enterprise Contract

https://hacbs-contract.github.io/ec-policies/

Languages

Language:Open Policy Agent 76.4%Language:Makefile 22.2%Language:Ruby 1.4%