Skip to main content

Usage

Use the endorctl validate policy command to validate one or more policies against data from one or more projects. If the policy is valid, the command returns all matches for the given projects, in the requested format, with the corresponding exit code. The syntax of the endorctl validate policy command is: 
endorctl validate policy [policies] [flags]

Flags and variables

The endorctl validate policy command uses the following flags and environment variables:

Specify one or more policies

Use one of the following formats to specify one or more policies:

Specify a project or a project filter

Use one of the following formats to specify one or more projects from which to load data:

Specify output format

As with the other endorctl commands, you can specify if you prefer the output as a table, or in json or yaml format. If the output format is json or yaml the matching findings are listed under "matching_findings" and the results for all other resource kinds are listed under "matching_resources". For example, endorctl validate policy --policy-uuid 6418dc7a55afcfb7b0d0e025 --uuid 6699c827cd89accb3a017536 --output-type json.

Exit Codes

If the policy is valid and there are no matches the command returns 0. The following table lists the non-zero exit codes returned by the endorctl validate policy command: For a complete list of endorctl exit codes, see endorctl CLI exit codes.

Example

Below is an example on how to verify that a Rego policy is correctly formatted.
  1. First, define a Rego policy. Let’s take the example policy below that searches for dependencies with an Endor Labs overall score of less than 7. You can save this to a file called “test_policy.rego”. 
    package example

match_package_version_score[result] {
  some i
  data.resources.Metric[i].meta.name == "package_version_scorecard"
  data.resources.Metric[i].meta.parent_kind == "PackageVersion"
  data.resources.Metric[i].meta.parent_uuid == data.resources.PackageVersion[_].uuid
  score := data.resources.Metric[i].spec.metric_values.scorecard.score_card.overall_score
  score < 7

  result = {
    "Endor" : {
      "PackageVersion" : data.resources.Metric[i].meta.parent_uuid
    },
    "Score" : sprintf("%v", [score])
  }
}
  2. Next, validate that the policy is correctly formatted. 
    endorctl validate policy \
  --policy test_policy.rego \
  --query data.example.match_package_version_score
  3. Add a project UUID to validate the policy against real data. 
    endorctl validate policy \
  --policy test_policy.rego \
  --query data.example.match_package_version_score \
  --uuid $PROJECT_UUID \
  --output-type json > output.json
  4. Inspect the policy output. 
    {
  "matching_resources": {
    "6553132357b462874261f054": {
      "Policy 1": {
        "PackageVersion": [
          {
            "resource_name": "pypi://astunparse@1.6.3",
            "resource_uuid": "63f599e177cf1f3d7f286ea1",
            "result": {
              "None": [
                {
                  "Score": "6"
                }
              ]
            }
          },

Troubleshooting

  • Set --output-type to json or yaml for formatted output
  • Add the --verbose flag for detailed output
  • Set --log-level debug for more information