Enterprise Policy Management: Rego Recipes
Sample Enterprise Policy Management rego policies for real-world checks
Recipe 1: Simple Tag Check
Use case: Match any package with a certain tag. For example: ready-for-production
. For this rule, the value ofmatch
will be true
when any tag.name
contains the value provided in required_tag
.
package cloudsmith
required_tag := "ready-for-production"
default match := false
match if {
has_required_tag
}
has_required_tag if {
some i
input.v0["package"].tags[i].name == required_tag
}
Recipe 2: Time-Based CVSS Policy
Use case: Evaluate vulnerabilities older than 30 days, check CVSS threshold ≥ 7, filter a specific repo, ignoring certain CVEs.
What It Does:
- Scopes to the
testing-policy
repository. - Ignores certain CVEs, requires CVSS ≥ 7.
- Only triggers if vulnerability is older than 30 days.
package cloudsmith
max_cvss_score := 7
older_than_days := -30
target_repository := "testing-policy"
ignored_cves := {"CVE-2023-45853", "CVE-2024-12345"}
default match := false
match if {
in_target_repository
count(reason) != 0
}
in_target_repository if {
input.v0.repository.name == target_repository
}
reason contains msg if {
some scan in input.v0.security_scan
some vulnerability in scan.Vulnerabilities
not ignored_cve(vulnerability)
vulnerability.FixedVersion
vulnerability.Status == "fixed"
some val in vulnerability.CVSS
val.V3Score >= max_cvss_score
t := time.add_date(time.now_ns(), 0, 0, older_than_days)
published_date := time.parse_rfc3339_ns(vulnerability.PublishedDate)
published_date <= t
msg := sprintf(
"CVSS Score: %v | Package: %v | Vulnerability: %v | Reason: %v",
[val.V3Score, input.v0["package"].name, vulnerability.VulnerabilityID, vulnerability.Description],
)
}
ignored_cve(vulnerability) if {
vulnerability.VulnerabilityID in ignored_cves
}
Recipe 3: CVSS Score + Fix Version + CVE Exclusion + Repo
Use case: Another approach for ignoring certain CVEs, focusing on one repository, with high/critical CVSS threshold.
What It Does:
- Matches packages in repository testing-policy if at least one vulnerability is “fixed,” CVSS > 7, and not in
ignored_cves
.
package cloudsmith
max_cvss_score := 7
target_repository := "testing-policy"
ignored_cves := {"CVE-2023-45853"}
default match := false
match if {
input.v0.repository.name == target_repository
some scan in input.v0.security_scan
some vulnerability in scan.Vulnerabilities
vulnerability.FixedVersion
vulnerability.Status == "fixed"
not ignored_cve(vulnerability)
exceeded_max_cvss(vulnerability)
}
exceeded_max_cvss(vulnerability) if {
some val in vulnerability.CVSS
val.V3Score > max_cvss_score
}
ignored_cve(vulnerability) if {
vulnerability.VulnerabilityID in ignored_cves
}
Recipe 4: CVSS Score + Tag + Time-Based
Use case: Combine tag requirements with older vulnerabilities that surpass a threshold.
What It Does:
- Requires package to have a tag named "internal-only"
- Only triggers if a vulnerability is older than 21 days, fixed, and has a CVSS ≥ 7.
package cloudsmith
customer_face_tag := "internal-only"
max_cvss_score := 7
default match := false
match if {
has_given_tag
count(reason) != 0
}
has_given_tag if {
some tag in input.v0["package"].tags
contains(tag.name, customer_face_tag)
}
reason contains msg if {
t := time.add_date(time.now_ns(), 0, 0, -21)
some scan in input.v0.security_scan
some vulnerability in scan.Vulnerabilities
published_date := time.parse_rfc3339_ns(vulnerability.PublishedDate)
published_date <= t
vulnerability.FixedVersion
vulnerability.Status == "fixed"
some val in vulnerability.CVSS
val.V3Score >= max_cvss_score
msg := sprintf(
"CVSS Score: '%v' for Package: '%v' has VulnerabilityID: '%v' with Reason: '%v'",
[val.V3Score, input.v0["package"].name, vulnerability.VulnerabilityID, vulnerability.Description],
)
}
Updated 4 days ago