search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
347 stars 25 forks source link

CLI command to evaluate policies #1108

Open jiparis opened 1 month ago

jiparis commented 1 month ago

it would be useful to have something like chainloop policy eval that receives a material and a policy (file, URL) and returns a report with potential violations. I would be used in manual control gates

migmartri commented 4 weeks ago

I'd love if this command has a 'development mode` (flag) that allows us to see the input, data,linting errors, and evaluation output, similar to what the rego playground does.

jiparis commented 3 weeks ago

I'd love if this command has a 'development mode` (flag) that allows us to see the input, data,linting errors, and evaluation output, similar to what the rego playground does.

I think opa eval might be of help for this: 

> cat input.json
{"components": [{"name": "thename", "bom-ref": "theref", "licenses": []}]}

> opa eval -d cyclonedx-licenses.rego -i input.json 'data.cyclonedx_licenses.violations'
{
  "result": [
    {
      "expressions": [
        {
          "value": [
            "Missing licenses for thename (theref)"
          ],
          "text": "data.cyclonedx_licenses.violations",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}