Policyer Action
Nir Adler
Posted on December 5, 2021
My Workflow
Policyer is an open source project (more like a vision) I created after inspired by policy engines that become very popular lately (OPA,Checkov)
Policyer going to focus on providing platform to run and create meaningful reports, data engagement and plugin system to let you provide any data, some time it can be k8s yaml and in other it can be user data.
Policyer Action
The policyer-action let you the option to run Policyer as part of your CI process, in my example I'm going to validate GitHub SDK calls.
Provider is like a plugin for policyer engine, it provide the data so the engine can run it against the checks (polciies)
Its important for me to emphasize that Policyer provide a platform, and eventually I will want to see marketplace full of custom providers.
The action can use any provider either local or published to NPM (support for private registries is on the way). In my example I created a simple provider to run GitHub SDK calls.
Example Check:
---
configuration:
provider: github-provider
type: rest
validEvents:
- pull_request
- push
domain: pulls
action: listRequestedReviewers
args:
owner: context.payload.pull_request.base.user.login
repo: context.payload.pull_request.base.repo.name
pull_number: context.payload.pull_request.number
checks:
- id: validate-reviewers
name: check if reviewers exists.
severity: High
steps:
- path: data.users
condition: includes
value: "nirtester"
utility: map
utilityProps:
- "login"
(just a reminder this is a policy example and the Github action will evaluate it and output as a report)
Check flow:
- first of all we setup the configuration section where we can provider meta data for the check, in this example I'm asking from the provider to do an SDK call:
SDK[pulls][listRequestedReviewers]({
owner: ...pull_request.base.user.login
repo: ...pull_request.base.repo.name
pull_number: ...pull_request.number
})
- next we going to dive in to the actual policy, in this policy we want to verify a certain user is a reviewer, so after the call im going to point to the "users" array, then use the condition includes ([...users].includes(value)), utilities function by default includes all Lodash functions, you can add custom utilities in the provider level. I'm going to use the map utility function to prepare an array of reviewers usernames.
- final step is the results:
____ _ _
| _ \ ___ | (_) ___ _ _ ___ _ __
| |_) / _ \| | |/ __| | | |/ _ \ '__|
| __/ (_) | | | (__| |_| | __/ |
|_| \___/|_|_|\___|\__, |\___|_|
|___/
Visit us at policyer.org
Event name: pull_request
Valid events: pull_request,push
┌────────────────────┬──────────┬──────────────────────────────┬──────────────┬─────────────────┬───────────┬──────────┐
│ (index) │ hasError │ check │ stepsResults │ inspectedValues │ status │ severity │
├────────────────────┼──────────┼──────────────────────────────┼──────────────┼─────────────────┼───────────┼──────────┤
│ validate-reviewers │ false │ 'check if reviewers exists.' │ [ true ] │ [ [Array] ] │ 'success' │ 'High' │
└────────────────────┴──────────┴──────────────────────────────┴──────────────┴─────────────────┴───────────┴──────────┘
Submission Category:
Wacky Wildcards
Action yaml
# Add github action file .github/workflows/policyer.yml
name: Policyer
on: [pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Policyer GitHub Action
uses: policyerorg/policyer-action@v0.0.3-alpha
with:
verbose: false
provider: policyer-github
internal: false
checks_path: ./checks
Additional Resources / Info
Visit Policyer for more information this is just the beginning
Packages used
- chalk
- figlet
- jmespath
- lodash
- moment
- yaml
- yargs
- @actions/core/github
Posted on December 5, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.