From c0e26fc4ae03142362ddbfec3e7dafb70ce60ba7 Mon Sep 17 00:00:00 2001 From: "Jose I. Paris" Date: Mon, 21 Oct 2024 18:41:26 +0200 Subject: [PATCH] feat(docs): update rego implementation in docs (#1424) Signed-off-by: Jose I. Paris --- .../guides/rego-policies/rego-policies.mdx | 14 ++++++++++- docs/docs/reference/policies.mdx | 19 +++++---------- .../policies/sbom/cyclonedx-licenses.yaml | 23 +++++++++++++++++++ 3 files changed, 42 insertions(+), 14 deletions(-) diff --git a/docs/docs/guides/rego-policies/rego-policies.mdx b/docs/docs/guides/rego-policies/rego-policies.mdx index f54134d41..648599c07 100644 --- a/docs/docs/guides/rego-policies/rego-policies.mdx +++ b/docs/docs/guides/rego-policies/rego-policies.mdx @@ -89,4 +89,16 @@ policies: materials: - ref: file://cyclonedx-version.yaml ``` -Check our [policies reference](/reference/policies) for more information on how to attach policies to contracts. \ No newline at end of file +Check our [policies reference](/reference/policies) for more information on how to attach policies to contracts. + +## Policy engine constraints (Rego) +To ensure the policy engine work as pure and as fast as possible, we have deactivated some of the OPA built-in functions. The following functions are not allowed in the policy scripts: +- `opa.runtime` +- `rego.parse_module` +- `trace` + +Also `http.send` has been isolated so only requests to the following domains are allowed: +- `chainloop.dev` +- `cisa.gov` + +This prevents unexpected behavior and potential remote exploits, particularly since these policies are evaluated client-side. \ No newline at end of file diff --git a/docs/docs/reference/policies.mdx b/docs/docs/reference/policies.mdx index a535a636c..ab216a41c 100644 --- a/docs/docs/reference/policies.mdx +++ b/docs/docs/reference/policies.mdx @@ -145,6 +145,11 @@ spec: import rego.v1 + result := { + "skipped": false, + "violations": violations, + } + default threshold := 5 threshold := to_number(input.args.threshold) # (1) @@ -179,17 +184,5 @@ For example - ref: https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/examples/policies/sbom/cyclonedx-banned-licenses.yaml@sha256:5b40425cb7bcba16ac47e3d8a8d3af7288afeeb632096994e741decedd5d38b3 ``` -## How to write a Chainloop policy +## How to write a Chainloop policy in Rego Check [this how-to](/guides/rego-policies) to know how you can write Chainloop policies in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/#learning-rego). - -## Policy engine constraints (Rego) -To ensure the policy engine work as pure and as fast as possible, we have deactivated some of the OPA built-in functions. The following functions are not allowed in the policy scripts: -- `opa.runtime` -- `rego.parse_module` -- `trace` - -Also `http.send` has been isolated so only requests to the following domains are allowed: -- `chainloop.dev` -- `cisa.gov` - -This prevents unexpected behavior and potential remote exploits, particularly since these policies are evaluated client-side. \ No newline at end of file diff --git a/docs/examples/policies/sbom/cyclonedx-licenses.yaml b/docs/examples/policies/sbom/cyclonedx-licenses.yaml index 868bf74c3..cce5efb23 100644 --- a/docs/examples/policies/sbom/cyclonedx-licenses.yaml +++ b/docs/examples/policies/sbom/cyclonedx-licenses.yaml @@ -12,6 +12,29 @@ spec: package main import rego.v1 + + # Global result object + result := { + "skipped": skipped, + "violations": violations, + "skip_reason": skip_reason, + } + + default skip_reason := "" + + skip_reason := m if { + not valid_input + m := "the file content is not recognized" + } + + default skipped := true + + skipped := false if valid_input + + valid_input if { + # expect at least 1 component in the SBOM + count(input.components) > 0 + } violations contains msg if { count(without_license) > 0