Skip to main content

Rego Inline Policies

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

This page presents the API specifications between inline policies scripted in Rego for jobs in workflows, and the Shisho Cloud.

API for jobs[].decide.rego

Inline policies set in jobs[].decide.rego carry out the inspection and auditing roles within the "Data Acquisition → Inspection/Audit → Notification & Recording of Results" functionalities of a workflow.

Package Name

There are no restrictions. You can define any package name you desire.

package arbitrary.name.could.be.specified

Inputs for Policy Execution

Certain inputs are provided for the inline policy specified in jobs[].decide.rego.

input

The input variable carries the data retrieved by the GraphQL query detailed in jobs[].decide.input.schema.

info

Suppose the GraphQL query is like this:

query {
github {
organizations {
login
requiresTwoFactorAuthentication
}
}
}

In this situation, an object like the following is stored in the input variable accessible within the inline policy:

{
"github": {
"organizations": [
{
"login": "octcat",
"requiresTwoFactorAuthentication": true
},
{
"login": "your-org-name",
"requiresTwoFactorAuthentication": false
}
]
}
}

You can access the above object in the inline policy like this:

org := input.github.organizations[_]

data.shisho

The data.shisho variable contains the definitions in the official Shisho Cloud Rego library.

info

For example, if you wish to access the package_known_vulnerability function in the shisho.decision.dependency package, you can define your Rego policy like this:

import data.shisho

x := shisho.decision.dependency.package_known_vulnerability(...)

Expected Policy Outputs

decisions Variable

Inline policies must store a List of Decision structured data in decisions. Through this, the results of the policy's inspection/audit can be conveyed to Shisho Cloud.

info

Inside the official Shisho Cloud Rego library, you can use functions with the description of "Emits a decision..." to conveniently generate a decision with a specific kind.

API for jobs[].notify.rego

Package Name

There are no limitations. You can define any package name you desire.

Inputs for Policy Execution

input.query

The data retrieved by the GraphQL query described in jobs[].notify.input.schema is stored.

input.organization_id

The ID of the organization executing the workflow is stored.

input.workflow_id

It stores the workflow's ID.

input.job_id

The ID of the job where the inline policy is prescribed is stored.

input.decisions

The decisions generated by the decide block of the job with the designated inline policy are stored.

input.running_state

The running state of the job that has the prescribed inline policy is stored.

info

Under shisho.job, the potential values that this variable can hold are defined as constants.

input.exit_code

The exit status of the job that has the designated inline policy is stored.

info

Under shisho.job, the potential values that this variable can hold are defined as constants.

data.shisho

The data.shisho variable contains the definitions stored in the official Shisho Cloud Rego library.

Expected Policy Outputs

notifications Variable

Inline policies should store a List of Notification structured data in notifications. This mechanism allows the inline policy to instruct Shisho Cloud to send notifications.

info

You can easily create a Notification object using the shisho.notification.new() function in the official Shisho Cloud Rego library.