A docker-inspired CLI for building, tagging, pushing, pulling, and signing OPA policies to and from OCI-compliant registries.
The policy CLI is a tool for building, versioning and publishing your authorization policies. It uses OCI standards to manage artifacts, and the Open Policy Agent (OPA) to compile and run.
Documentation
Please refer to our documentation site for installation, usage, customization and tips.
Slack Channel
Wanna discuss features or show your support for this tool?
Installation
policy
is available on Linux, macOS and Windows platforms.
Binaries for Linux, Windows and Mac are available as tarballs in the release page.
Via Homebrew for macOS or LinuxBrew for Linux
brew tap opcr-io/tap && brew install opcr-io/tap/policy
Note: if you want to try a pre-release version before the official release:
brew tap opcr-io/tap && brew install opcr-io/tap/policy-rc
Via the nix package manager on nixOS, other linux distros, and macOS
At the moment the package is only available in the unstable
channel. Below are some examples using nix to install policy
via the shell, NixOS configuration, and home-manager configuration.
Shell:
nix-env --install -A nixpkgs.opcr-policy
NixOS:
# your other config ... environment.systemPackages = with pkgs; [ # your other packages ... opcr-policy ];
home-manager:
# your other config ... home.packages = with pkgs; [ # your other packages ... opcr-policy ];
Via a GO install
go install github.com/opcr-io/policy/cmd/policy@latest
Building From Source
policy
is currently using go v1.16 or above. In order to build policy
from source you must:
Install mage
Clone the repo
Build and run the executable
mage build && ./dist/build_linux_amd64/policy
Running with Docker Running the official Docker image
You can run as a Docker container:
docker run -it --rm ghcr.io/opcr-io/policy:latest --help
The Command Line
$ policy --help Usage: policy <command>LogsCommands: build Build policies. images List policy images. push Push policies to a registry. pull Pull policies from a registry. login Login to a registry. logout Logout from a registry. save Save a policy to a local bundle tarball. tag Create a new tag for an existing policy. rm Removes a policy from the local registry. inspect Displays information about a policy. repl Sets you up with a shell for running queries using an OPA instance with a policy loaded. templates List and apply templates version Prints version information.
Flags: -h, --help Show context-sensitive help. -c, --config="/Users/ogazitt/.policy/config.yaml" Path to the policy CLI config file. --debug Enable debug mode. -v, --verbosity=INT Use to increase output verbosity. -k, --insecure Do not verify TLS connections.
Run "policy <command> --help" for more information on a command.
Logs are printed to stderr
. You can increase detail using the verbosity flag (e.g. -vvv
).
Demo Videos/Recordings
Known Issues
This is still work in progress! If something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!
Credits
The policy CLI uses a lot of great and amazing open source projects and libraries. A big thank you to all of them!
Contributions Guideline
Reporting Vulnerabilities
Please send an email to one of the maintainers. We commit to addressing vulnerabilities promptly.
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.