feat(docs): update rego implementation in docs (chainloop-dev#1424)

Signed-off-by: Jose I. Paris <[email protected]>
jiparis · Oct 21, 2024 · c0e26fc · c0e26fc
1 parent 3df6c5c
commit c0e26fc
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 14 deletions.
diff --git a/docs/docs/guides/rego-policies/rego-policies.mdx b/docs/docs/guides/rego-policies/rego-policies.mdx
@@ -89,4 +89,16 @@ policies:
   materials:
     - ref: file://cyclonedx-version.yaml
 ```
-Check our [policies reference](/reference/policies) for more information on how to attach policies to contracts.
+Check our [policies reference](/reference/policies) for more information on how to attach policies to contracts.
+
+## Policy engine constraints (Rego)
+To ensure the policy engine work as pure and as fast as possible, we have deactivated some of the OPA built-in functions. The following functions are not allowed in the policy scripts:
+- `opa.runtime`
+- `rego.parse_module`
+- `trace`
+
+Also `http.send` has been isolated so only requests to the following domains are allowed:
+- `chainloop.dev`
+- `cisa.gov`
+
+This prevents unexpected behavior and potential remote exploits, particularly since these policies are evaluated client-side.
diff --git a/docs/docs/reference/policies.mdx b/docs/docs/reference/policies.mdx
@@ -145,6 +145,11 @@ spec:
 
     import rego.v1
 
+    result := {
+      "skipped": false,
+      "violations": violations,
+    }
+
     default threshold := 5
     threshold := to_number(input.args.threshold) # (1)
 
@@ -179,17 +184,5 @@ For example
       - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml@sha256:5b40425cb7bcba16ac47e3d8a8d3af7288afeeb632096994e741decedd5d38b3
   ```
 
-## How to write a Chainloop policy
+## How to write a Chainloop policy in Rego
 Check [this how-to](/guides/rego-policies) to know how you can write Chainloop policies in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/#learning-rego).
-
-## Policy engine constraints (Rego)
-To ensure the policy engine work as pure and as fast as possible, we have deactivated some of the OPA built-in functions. The following functions are not allowed in the policy scripts:
-- `opa.runtime`
-- `rego.parse_module`
-- `trace`
-
-Also `http.send` has been isolated so only requests to the following domains are allowed:
-- `chainloop.dev`
-- `cisa.gov`
-
-This prevents unexpected behavior and potential remote exploits, particularly since these policies are evaluated client-side.
diff --git a/docs/examples/policies/sbom/cyclonedx-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-licenses.yaml
@@ -12,6 +12,29 @@ spec:
       package main
   
       import rego.v1
+
+      # Global result object
+      result := {
+        "skipped": skipped,
+        "violations": violations,
+        "skip_reason": skip_reason,
+      }
+
+      default skip_reason := ""
+
+      skip_reason := m if {
+        not valid_input
+        m := "the file content is not recognized"
+      }
+
+      default skipped := true
+
+      skipped := false if valid_input
+
+      valid_input if {
+        # expect at least 1 component in the SBOM
+        count(input.components) > 0
+      }
 
       violations contains msg if {
         count(without_license) > 0