search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.64k stars 1.34k forks source link

Pre-Deploy Policy Scanning #7134

Closed ronaldpetty closed 1 day ago

ronaldpetty commented 1 day ago

It would be helping to have a scanner (security / performance?) of Rego policy prior to usage.

What is the underlying problem you're trying to solve?

We can scan images for issues, we can scan other imperative languages for (some) issues; be nice to have similar feature.

Describe the ideal solution

Not a pro, so not sure on ideal.

Describe a "Good Enough" solution

Maybe simple command line tool to start? and library function (load, test, etc.).

anderseknert commented 1 day ago

Hi @ronaldpetty 👋

If you're looking for something to check that the syntax of a policy is correct, you can use the opa check command. When used with the --strict flag, a few additional checks (like unused vars) will be performed. Run opa check --help for more details.

But it sounds like you're asking for more fine-grained control. Would Regal be what you're looking for?

ronaldpetty commented 1 day ago

@anderseknert thank you, thats a great start! I suppose thinking more around security practices, but I only scanned regal docs (maybe something is in there). Either way, looks useful.

anderseknert commented 1 day ago

Could you provide some examples of what you mean when you say security practices?

One thing to keep in mind is that OPA is a general purpose policy engine that can be (and is!) used to help solve a wide range of problems ranging from app authorization, admission control, cloud infrastructure, business rules, or what have you. Needless to say, what constitutes secure practices will vary just as much depending on where OPA is used.

ronaldpetty commented 1 day ago

Good point. I have to think more. At this stage, I am envisioning it magically seeing some bad practices around security (even though I can't elaborate one now). I will do my homework! Thanks for the guidance.

anderseknert commented 1 day ago

Of course! Organizations that have use OPA for some specific use case can leverage custom rules with Regal to enforce their requirements. And policy libraries tailored for some specific use case could do the same. Regal is stil fairly new, but it's already quite capable.

I'll close this issue as there isn't anything directly actionable in OPA here, but that doesn't mean we need to stop talking :)