Support updating a policy file based on aqua.yaml #2778
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Feature Overview
Support updating a policy file based on aqua.yaml.
Add packages used in aqua.yaml to a policy file.
Why is the feature needed?
To improve the security.
To prevent malicious packages from being used in CI, we should manage the whitelist of packages by policy file.
But it's bothersome to manage a policy file and update it every time we start using a new package.
So it's useful to add a command updating a policy file based on aqua.yaml.
Workaround
Maintain a policy file manually.
This is bothersome.
Example Code
$ aqua policy update aqua-policy.yaml aqua.yaml foo/aqua.yaml ...aqua-policy.yaml is updated based on aqua.yaml.
Note
https://aquaproj.github.io/docs/reference/security/policy-as-code/
To prevent aqua-policy.yaml from being tampered in CI, you should manage aqua-policy.yaml on the default branch and synchronize it in CI.
https://github.com/suzuki-shunsuke/simple-sync-action
The text was updated successfully, but these errors were encountered: