GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ EmbarkStudios β†’ opa-policies

EmbarkStudios / opa-policies

Licence: other
Contains OPA Policies for Dockerfiles, Kubernetes YAMLs, Terraform, etc

Programming Languages

Open Policy Agent
39 projects
shell
77523 projects

πŸ“œ OPA Policies

The Open Policy Agent (OPA, pronounced β€œoh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

The policies are written in a language called rego. You can find examples of policies for different technologies here.

Structure

Each type will have its own folder (and namespace) inside of policy. If you want to add a new type, you can refer to policy/docker.

How to use it

conftest is a utility to help you write tests against structured configuration data. For instance, you could write tests for your Kubernetes configurations, Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.

You can find information on how to install conftest here

Writing tests

We can unit-test our policies. You can find more information on how to write tests here and see the tests for our Dockerfile policies.

You can run the tests by executing conftest verify

Excluding policies

You can find more information on how to except policies here. You can also find more information in the README under each type in this repository.

Example usage

Given the following Dockerfile:

FROM ubuntu:latest # will warn due to "latest"

WORKDIR /app

# will fail due to "root"
USER root

# will fail due to usage of ADD instead of COPY
ADD app /app

COPY README.md /app/README.md
RUN sudo apt-get update # will fail due to "sudo"

# will fail due to curl/wget bashing
RUN wget https://some-url.com | sh

RUN apt-get update && apt-get install -y htop

CMD ["/bin/bash", "/app/entrypoint.sh"]

Running conftest test ../Dockerfile --namespace docker will produce the following output given the current rules in policy/docker:

WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Avoid using 'sudo' command: sudo apt-get update
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code
FAIL - Dockerfile - Avoid curl/wget bashing

Contributing

Contributor Covenant

We welcome community contributions to this project.

Please read our Contributor Guide for more information on how to get started.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].