Skip to content

m-mizutani/opaq

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits

.github/workflows

.github/workflows

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

client.go

client.go

 
 

error.go

error.go

 
 

export_test.go

export_test.go

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

main_test.go

main_test.go

 
 

proc.go

proc.go

 
 

query.go

query.go

 
 

Repository files navigation

opaq

opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions.

Features

  • Data formatting: OPA server accepts only {"input": ...} schema and responds {"result": ...} schema. opaq changes input format and extracts result data before/after inquiry to OPA server.
  • Control exit code: --fail-defined and --fail-undefined options can change exit code to fail CI.
  • Inject metadata: --metadata (-m) can inject metadata to original input data for more sophisticated decision.

Usage

Installation with go command.

$ go install github.com/m-mizutani/opaq@latest

Or run command via docker image ghcr.io/m-mizutani/opaq:latest.

$ docker run ghcr.io/m-mizutani/opaq:latest -i result.json -u https://your-opa-server/v1/data/yourpolicy

Basic

$ opaq -i result.json -u https://your-opa-server/v1/data/yourpolicy
{
    "allow": true
}

GitHub Actions

E.g. querying a result of Trivy scan.

name: Vuln scan and inquiry to OPA server

on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout upstream repo
        uses: actions/checkout@v2
        with:
          ref: ${{ github.head_ref }}
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          format: json
          output: trivy-results.json
          list-all-pkgs: true
      - uses: docker://ghcr.io/m-mizutani/opaq:v0.1.0
        with:
          args: "-u https://your-opa-server/v1/data/trivy -i trivy-results.json -m repository=${{ github.repository }} -m ref=${{ github.ref_name }} --fail-defined"

Control exit code

opaq has two options for non-zero code exit to fail CI.

  • --fail-defined: Exits with non-zero exit code on undefined/empty result and errors
  • --fail-undefined: Exits with non-zero exit code on defined/non-empty result and errors
$ opaq -i result.json -u https://your-opa-server/v1/data/blue --fail-defined
{
    "allow": true
}
# Exit with non-zero code
$ opaq -i result.json -u https://your-opa-server/v1/data/orange --fail-defined
{}
# Normally exit

Inject metadata

In some cases, the structural data output for evaluation by OPA is not enough information for evaluation. For example, evaluation requires not only content of configuration file but also directory path and file name to check consistency. opaq allows to add metadata to original structure data.

$ opaq -i some/file.json -m "path=some/file.json" -u https://your-opa-server/v1/data/green

If original some/file.json is below,

{
    "config": {...}
}

-m option modifies data as following and send it to OPA server.

{
    "config": {...},
    "metadata": {
        "path": "some/file.json"
    }
}

Also, --metadata-field can change a field name of metadata. Default is metadata.

Other options

  • --input: Specify input file instead of STDIN
  • --format: Choose input format [json, yaml]
  • --data-field: Nest input data with a value of the option. If mydata is provided, {"user":"you"} will be modified to {"mydata":{"user":"you"}}
  • http-header: Add custom HTTP header(s). e.g. Authorization: Bearer XXXXX to pass authentication of OPA server

License

Apache License 2.0

About

Generic inquiry tool to OPA server for CI process, such as GitHub Actions

Topics

go opa github-actions

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 2

v0.1.1 Latest
Jan 11, 2022
+ 1 release

Packages 1

 

Languages