Centralized OPA policy workflow for Conftest-based Compliance-as-Code evaluations.
This is a central repository housing a snapshot of Rally Health's Rego policies for its Compliance-as-Code program.
View this project at it's GitHub Page. The policy documentation is available here.
Rally enforces these policies through a homegrown GitHub App running on AWS ECS to evaluate every commit in the organization. The GitHub App is an internal wrapper around Conftest, primarily handling reporting the violation results back to developer workflows in GitHub pull requests and to a central dashboard in Datadog. Violations are reported as non-blocking status checks. Results are added to developer PRs within 4-10 seconds. This repository only houses the policies used in this process and demonstrates a CI/CD approach to creating and managing Rego policies.
Policy messages in each Rego file use markdown syntax as Rally publishes policy messages to pull request status checks.
(Note the details in that image, such as the policy ID and message, may not line up with the policies currently in this repo.)
Policy documentation can be found here.
Follow Conftest's instructions for sharing policies.
You can pull policies directly from this repo:
# Git SSH syntax
conftest pull git::git@github.com:rallyhealth/conftest-policy-packs.git//policies
# Git HTTPS syntax
conftest pull git::https://github.com/rallyhealth/conftest-policy-packs.git//policies
See conftest pull --help for more instructions on customizing the download, if needed.
These policies will soon be available on CNCF Artifact Hub.
These policies are provided for general consumption.
Policy contents are written to be general purpose and org-specific values are relegated to the data/ directory for import via conftest --data.
You should pull the policies with conftest pull and specify your own data files as appropriate for your organization.
Explanations for each value are provided in the YAML files under data/.
Rally currently handles exceptions in its homegrown GitHub App code wrapping Conftest. Violations produced by Conftest are filtered out from a JSON mapping of approved exceptions to repos. Exceptions are supported at a per-file level.
See here for more information.
Please follow the contribution instructions.
Generally:
- Fork the repository
- Create your feature branch
- Commit your changes following semantic commit syntax
- Push to the branch
- Open a pull request
Follow the requisite section in the contribution instructions.
make testconftest parse <file>- Use
trace()in the policy - Run conftest with
--trace - Recommended, pipe the output to grep (
| grep Note) to only view thetrace()output
Also use the OPA playground to troubleshoot Rego code.
make docsRally's compliance-as-code program has seen early success internally thanks to the following individuals who contributed to the effort:
- Ari Kalfus
- Mia Kralowetz
- Nicholas Hung
- Karl Nilsen
- Benjamin Mangold