Skip to main content

Creating a Policy

Policies are authored in a declarative language called Rego. You can get started quickly by using a template.

Templates

To list the available templates, use the policy templates list command:

policy templates list

Fetching templates .

  NAME             KIND    DESCRIPTION
  github           cicd    GitHub policy CI/CD template.
  gitlab           cicd    GitLab policy CI/CD template.
  policy-template  policy  Minimal policy template.

Applying a policy template

To create a new policy, use the policy templates apply command:

policy templates apply policy-template

Processing template 'policy-template' .

Generating files

The template 'policy-template' was created successfully.

This will generate a minimal "hello world" policy.

tree .
.
├── README.md
└── src
    └── policies
        └── hello-rego.rego

2 directories, 2 files

You can create a git repository for these files by using git init.

Adding a CI template

To add GitHub or GitLab CI to the repository, apply a CI template. Note that the defaults are supplied if you've already done a policy login to log in to a registry, and made it your default policy registry.

policy templates apply github

Processing template 'github' .

  #  SERVER
  1  ghcr.io

> Select server#: 1

> server (ghcr.io):

> user (ogazitt):

> secret name (TOKEN):

> org/repo: ogazitt/policy-template

Generating files .

The template 'github' was created successfully.

This command generates a GitHub workflow to build, tag, and push a policy image based on a new tag event that is pushed to GitHub.

tree .github
.github
├── config.yaml
└── workflows
    └── build-release-policy.yaml

1 directory, 2 files

The .github/config.yaml file contains the parameters to the workflow:

server: ghcr.io
username: ogazitt
repo: ogazitt/policy-template

The secret name that was provided (by default, TOKEN) refers to a GitHub secret that contains a key (e.g. a PAT with the correct scopes) to push the built, tagged image to the policy registry.

For example, for ghcr.io, the PAT needs to have the repo and write:packages scopes.

For the Aserto Policy Registry, this should be the API key that can be found in the Console under the Aserto Policy Registry connection.

Automated policy-as-code workflow

You now have a policy-as-code workflow - simply make changes in the policy, commit and tag a release, push the tags, and your policy image will be built, tagged, and pushed to the registry you configured.

Manual workflow

You can also use the policy CLI to manually build, tag and push the policy to a policy registry.