Conftest Policy Packs

Centralized OPA policy workflow for Conftest-based Compliance-as-Code evaluations.

This is a central repository housing a snapshot of Rally Health's Rego policies for its Compliance-as-Code program.

View this project at it's GitHub Page. The policy documentation is available here.

Rally enforces these policies through a homegrown GitHub App running on AWS ECS to evaluate every commit in the organization. The GitHub App is an internal wrapper around Conftest, primarily handling reporting the violation results back to developer workflows in GitHub pull requests and to a central dashboard in Datadog. Violations are reported as non-blocking status checks. Results are added to developer PRs within 4-10 seconds. This repository only houses the policies used in this process and demonstrates a CI/CD approach to creating and managing Rego policies.

Policy messages in each Rego file use markdown syntax as Rally publishes policy messages to pull request status checks.

(Note the details in that image, such as the policy ID and message, may not line up with the policies currently in this repo.)

• Usage
  • Downloading Policies
  • Policy Data
  • Policy Exceptions
• Contributing
  • Contributing A Policy
  • Quick Start
    • Run tests
    • Convert file into JSON for unit tests
    • Debug a policy
    • Generate documentation
• Original Contributors

Usage

Policy documentation can be found here.

Downloading Policies

Follow Conftest's instructions for sharing policies.

You can pull policies directly from this repo:

# Git SSH syntax
conftest pull git::git@github.com:rallyhealth/conftest-policy-packs.git//policies
# Git HTTPS syntax
conftest pull git::https://github.com/rallyhealth/conftest-policy-packs.git//policies

See conftest pull --help for more instructions on customizing the download, if needed.

These policies will soon be available on CNCF Artifact Hub.

Policy Data

These policies are provided for general consumption. Policy contents are written to be general purpose and org-specific values are relegated to the data/ directory for import via conftest --data. You should pull the policies with conftest pull and specify your own data files as appropriate for your organization. Explanations for each value are provided in the YAML files under data/.

Policy Exceptions

Rally currently handles exceptions in its homegrown GitHub App code wrapping Conftest. Violations produced by Conftest are filtered out from a JSON mapping of approved exceptions to repos. Exceptions are supported at a per-file level.

See here for more information.

Contributing

Please follow the contribution instructions.

Generally:

1. Fork the repository
2. Create your feature branch
3. Commit your changes following semantic commit syntax
4. Push to the branch
5. Open a pull request

Contributing A Policy

Follow the requisite section in the contribution instructions.

Quick Start

Run tests

make test

Convert file into JSON for unit tests

conftest parse <file>

Debug a policy

1. Use trace() in the policy
2. Run conftest with --trace
3. Recommended, pipe the output to grep (| grep Note) to only view the trace() output

Also use the OPA playground to troubleshoot Rego code.

Generate documentation

make docs

Original Contributors

Rally's compliance-as-code program has seen early success internally thanks to the following individuals who contributed to the effort:

• Ari Kalfus
• Mia Kralowetz
• Nicholas Hung
• Karl Nilsen
• Benjamin Mangold