Closed ronaldpetty closed 1 day ago
Hi @ronaldpetty 👋
If you're looking for something to check that the syntax of a policy is correct, you can use the opa check
command. When used with the --strict
flag, a few additional checks (like unused vars) will be performed. Run opa check --help
for more details.
But it sounds like you're asking for more fine-grained control. Would Regal be what you're looking for?
@anderseknert thank you, thats a great start! I suppose thinking more around security practices, but I only scanned regal docs (maybe something is in there). Either way, looks useful.
Could you provide some examples of what you mean when you say security practices?
One thing to keep in mind is that OPA is a general purpose policy engine that can be (and is!) used to help solve a wide range of problems ranging from app authorization, admission control, cloud infrastructure, business rules, or what have you. Needless to say, what constitutes secure practices will vary just as much depending on where OPA is used.
Good point. I have to think more. At this stage, I am envisioning it magically seeing some bad practices around security (even though I can't elaborate one now). I will do my homework! Thanks for the guidance.
Of course! Organizations that have use OPA for some specific use case can leverage custom rules with Regal to enforce their requirements. And policy libraries tailored for some specific use case could do the same. Regal is stil fairly new, but it's already quite capable.
I'll close this issue as there isn't anything directly actionable in OPA here, but that doesn't mean we need to stop talking :)
It would be helping to have a scanner (security / performance?) of Rego policy prior to usage.
What is the underlying problem you're trying to solve?
We can scan images for issues, we can scan other imperative languages for (some) issues; be nice to have similar feature.
Describe the ideal solution
Not a pro, so not sure on ideal.
Describe a "Good Enough" solution
Maybe simple command line tool to start? and library function (load, test, etc.).