Rego Inline Policies
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This page presents the API specifications between inline policies scripted in Rego for jobs in workflows, and the Shisho Cloud.
API for jobs[].decide.rego
Inline policies set in jobs[].decide.rego
carry out the inspection and auditing roles within the "Data Acquisition → Inspection/Audit → Notification & Recording of Results" functionalities of a workflow.
Package Name
There are no restrictions. You can define any package name you desire.
package arbitrary.name.could.be.specified
Inputs for Policy Execution
Certain inputs are provided for the inline policy specified in jobs[].decide.rego
.
input
The input
variable carries the data retrieved by the GraphQL query detailed in jobs[].decide.input.schema
.
Suppose the GraphQL query is like this:
query {
github {
organizations {
login
requiresTwoFactorAuthentication
}
}
}
In this situation, an object like the following is stored in the input
variable accessible within the inline policy:
{
"github": {
"organizations": [
{
"login": "octcat",
"requiresTwoFactorAuthentication": true
},
{
"login": "your-org-name",
"requiresTwoFactorAuthentication": false
}
]
}
}
You can access the above object in the inline policy like this:
org := input.github.organizations[_]
data.shisho
The data.shisho
variable contains the definitions in the official Shisho Cloud Rego library.
For example, if you wish to access the package_known_vulnerability function in the shisho.decision.dependency package, you can define your Rego policy like this:
import data.shisho
x := shisho.decision.dependency.package_known_vulnerability(...)
Expected Policy Outputs
decisions
Variable
Inline policies must store a List of Decision structured data in decisions
. Through this, the results of the policy's inspection/audit can be conveyed to Shisho Cloud.
Inside the official Shisho Cloud Rego library, you can use functions with the description
of "Emits a decision..."
to conveniently generate a decision
with a specific kind
.
API for jobs[].notify.rego
Package Name
There are no limitations. You can define any package name you desire.
Inputs for Policy Execution
input.query
The data retrieved by the GraphQL query described in jobs[].notify.input.schema
is stored.
input.organization_id
The ID of the organization executing the workflow is stored.
input.workflow_id
It stores the workflow's ID.
input.job_id
The ID of the job where the inline policy is prescribed is stored.
input.decisions
The decisions
generated by the decide
block of the job with the designated inline policy are stored.
input.running_state
The running state of the job that has the prescribed inline policy is stored.
Under shisho.job, the potential values that this variable can hold are defined as constants.
input.exit_code
The exit status of the job that has the designated inline policy is stored.
Under shisho.job, the potential values that this variable can hold are defined as constants.
data.shisho
The data.shisho
variable contains the definitions stored in the official Shisho Cloud Rego library.
Expected Policy Outputs
notifications
Variable
Inline policies should store a List of Notification structured data in notifications
. This mechanism allows the inline policy to instruct Shisho Cloud to send notifications.
You can easily create a Notification object using the shisho.notification.new()
function in the official Shisho Cloud Rego library.