Creating a Policy
Policies are authored in a declarative language called Rego. You can get started quickly by using a template.
To list the available templates, use the
policy templates list command:
policy templates list
Fetching templates .
NAME KIND DESCRIPTION
github cicd GitHub policy CI/CD template.
gitlab cicd GitLab policy CI/CD template.
policy-template policy Minimal policy template.
Applying a policy template
To create a new policy, use the
policy templates apply command:
policy templates apply policy-template
Processing template 'policy-template' .
The template 'policy-template' was created successfully.
This will generate a minimal "hello world" policy.
2 directories, 2 files
You can create a git repository for these files by using
Adding a CI template
To add GitHub or GitLab CI to the repository, apply a CI template. Note that the defaults are supplied if you've already done a
policy login to log in to a registry, and made it your default policy registry.
policy templates apply github
Processing template 'github' .
> Select server#: 1
> server (registry.prod.aserto.com):
> user (ogazitt):
> secret name (TOKEN):
> org/repo: ogazitt/peoplefinder
Generating files .
The template 'github' was created successfully.
This command generates a GitHub workflow to build, tag, and push a policy image based on a new tag event that is pushed to GitHub.
1 directory, 2 files
.github/config.yaml file contains the parameters to the workflow:
secret name that was provided (by default,
TOKEN) refers to a GitHub secret that contains a key (the Aserto Policy Registry key, or a GitHub PAT with the correct scopes) to push the built, tagged image to the policy registry.
For the Aserto Policy Registry, this should be the API key that can be found in the Console under the Aserto Policy Registry connection. This is the same API key that you used to login in using
ghcr.io, the PAT needs to have the
Automated policy-as-code workflow
You now have a policy-as-code workflow - simply make changes in the policy, commit and tag a release, push the tags, and your policy image will be built, tagged, and pushed to the registry you configured.