Create Policy

Instructions

Step 1: Identify Policy Requirements

• What entity type is the policy targeting? (pipeline, service, environment, feature flag, etc.)
• What is the enforcement action (warn, deny)?
• What scope should the policy apply to?
• What action triggers the policy? (onrun, onsave, onstep, etc.)

references/rego-writing-guide.md

Step 2: Create the Policy

Call MCP tool: harness_create
Parameters:
  resource_type: "scs_opa_policy"
  org_id: "<organization>"
  project_id: "<project>"
  body: <policy definition>

Step 3: Verify Compliance Results

Call MCP tool: harness_list
Parameters:
  resource_type: "scs_compliance_result"
  org_id: "<organization>"
  project_id: "<project>"

Common Policy Patterns

Require SBOM Generation

package harness.artifact

deny[msg] {
  not input.artifact.sbom
  msg := "Artifact must have an SBOM before deployment"
}

Block Critical Vulnerabilities

package harness.artifact

deny[msg] {
  vuln := input.artifact.vulnerabilities[_]
  vuln.severity == "CRITICAL"
  msg := sprintf("Critical vulnerability %s found in artifact", [vuln.cve_id])
}

Enforce Approved Base Images

package harness.artifact

approved_bases := {"alpine", "distroless", "ubuntu"}

deny[msg] {
  not approved_bases[input.artifact.base_image]
  msg := sprintf("Base image '%s' is not in the approved list", [input.artifact.base_image])
}

Require Signed Artifacts

package harness.artifact

deny[msg] {
  not input.artifact.signed
  msg := "Artifact must be signed before deployment"
}

Related Resource Types

scs_opa_policy

scs_compliance_result

artifact_security

code_repo_security

scs_chain_of_custody

Rego Policy Reference Files

• Rego writing guide and rules — Entity types, package names, Rego patterns, quality checklist
• Pipeline policies and schema — Pipeline input schema, step/stage nesting, walk patterns
• Feature Flag / FME policies — Feature flag, definition, FME environment, segment schemas
• Service, Environment, Infrastructure — Service, env, infra schemas and examples
• Security Tests policies — Security test output schema, severity/coverage checks
• SBOM policies — SBOM deny/allow list patterns with semver comparison
• Terraform and Workspace — Terraform plan, cost, state, workspace schemas
• GitOps Application — GitOps app schema, namespace/label/revision policies
• Code Repository — Code repo naming, visibility, branch policies
• Variable policies — Variable schema, role-based restrictions
• Override policies — Override schema, config file and variable protection
• Connector policies — Connector schema, type/auth/naming restrictions
• Secret policies — Secret schema, naming/type/provider restrictions
• Template policies — Template schema, approval/versioning/environment checks
• Database DevOps policies — SQL statement governance, DDL restrictions, transaction limits
• Upstream Firewall — Firewall package schema, CVE/license policies
• Advanced patterns — Exception handling, walk, scoped references, exemptions

Examples

• "Create a policy to block critical CVEs" -- Create OPA deny rule for critical severity
• "Enforce SBOM generation for all artifacts" -- Create policy requiring SBOM presence
• "Only allow approved base images" -- Create policy with allowed base image list
• "Require artifact signing before production" -- Create policy checking signature status
• "Require approval before production deployments" -- Pipeline policy with Approval stage check
• "Enforce disallowPipelineExecutor on approval steps" -- Pipeline walk-based step check
• "Block Terraform plans exceeding $100/month" -- Terraform plan cost policy
• "Require feature flag descriptions" -- FME feature flag onsave policy
• "Prevent GitOps deployments to kube-system" -- GitOps namespace restriction
• "Check which artifacts violate our policies" -- List scs_compliance_result

Performance Notes

• Validate Rego syntax before submitting. Common issues: missing package declaration, deny rules without msg return.
• Ensure the policy package name follows

  package harness.<domain>

  convention.
• Test policy logic mentally against expected inputs before creating.

Troubleshooting

Policy Not Enforcing

• Policies are create-only via MCP -- verify the policy was created successfully
• Check that the policy scope matches the target artifacts/repositories
• Use

  scs_compliance_result

  to verify the policy is being evaluated

Policy Syntax Errors

• OPA policies use Rego language -- validate syntax before submitting
• Package names should follow

  package harness.<domain>

  convention
• Deny rules must return a

  msg

  string explaining the violation

Limitations

• MCP supports create-only for OPA policies (no list, update, or delete via MCP)
• For managing existing policies, use the Harness UI under Supply Chain Assurance settings
• Policies apply within the project scope where they are created