陌讯skills聚合平台

policy-as-code

📁 bagelhole/devops-security-agent-skills 📅 9 days ago
1
总安装量
1
周安装量
#51922
全站排名
安装命令
npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill policy-as-code

Agent 安装分布

opencode 1
codex 1
claude-code 1

Skill 文档

Policy as Code

Automate policy enforcement through code.

Open Policy Agent (OPA)

# deny_public_buckets.rego
package terraform.s3

deny[msg] {
    resource := input.resource.aws_s3_bucket[name]
    resource.acl == "public-read"
    msg := sprintf("S3 bucket '%s' has public ACL", [name])
}

Kyverno (Kubernetes)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Label 'app' is required"
      pattern:
        metadata:
          labels:
            app: "?*"

Checkov

# Scan Terraform
checkov -d . --framework terraform

# Custom check
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class S3Encryption(BaseResourceCheck):
    def scan_resource_conf(self, conf):
        return CheckResult.PASSED if 'encryption' in conf else CheckResult.FAILED

Best Practices

  • Version control policies
  • Test policies in CI
  • Gradual rollout (warn → enforce)
  • Exception management
GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。