Back to Details

create-policy

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Create Policy

创建策略

Create OPA governance policies for Harness Software Supply Chain Assurance (SCS) via MCP.
通过MCP为Harness软件供应链保障(SCS)创建OPA治理策略。

Instructions

操作说明

Step 1: Identify Policy Requirements

步骤1:确定策略要求

Determine what the policy should enforce:
  • What entity type is the policy targeting? (pipeline, service, environment, feature flag, etc.)
  • What is the enforcement action (warn, deny)?
  • What scope should the policy apply to?
  • What action triggers the policy? (onrun, onsave, onstep, etc.)
For writing Rego policies, consult 
references/rego-writing-guide.md
for the complete Rego writing rules, entity types, package names, and common patterns. For entity-specific schemas and examples, see the entity reference files listed in that guide.
明确策略需要执行的规则:
  • 策略针对的实体类型是什么?(流水线、服务、环境、功能标志等)
  • 执行动作是什么(警告、拒绝)?
  • 策略的适用范围是什么?
  • 触发策略的动作是什么?(onrun、onsave、onstep等)
编写Rego策略时,请查阅
references/rego-writing-guide.md
获取完整的Rego编写规则、实体类型、包名和常见模式。如需实体特定的 schema 和示例,请参考该指南中列出的实体参考文件。

Step 2: Create the Policy

步骤2:创建策略

Call MCP tool: harness_create
Parameters:
  resource_type: "scs_opa_policy"
  org_id: "<organization>"
  project_id: "<project>"
  body: <policy definition>
调用MCP工具:harness_create
参数:
  resource_type: "scs_opa_policy"
  org_id: "<organization>"
  project_id: "<project>"
  body: <policy definition>

Step 3: Verify Compliance Results

步骤3:验证合规结果

After a policy is created, check compliance status on artifacts or repositories:
Call MCP tool: harness_list
Parameters:
  resource_type: "scs_compliance_result"
  org_id: "<organization>"
  project_id: "<project>"
策略创建完成后,检查制品或仓库的合规状态:
调用MCP工具:harness_list
参数:
  resource_type: "scs_compliance_result"
  org_id: "<organization>"
  project_id: "<project>"

Common Policy Patterns

常见策略模式

Require SBOM Generation

要求生成SBOM

Enforce that all artifacts have an SBOM before deployment:
rego
package harness.artifact

deny[msg] {
  not input.artifact.sbom
  msg := "Artifact must have an SBOM before deployment"
}
强制所有制品在部署前必须包含SBOM:
rego
package harness.artifact

deny[msg] {
  not input.artifact.sbom
  msg := "Artifact must have an SBOM before deployment"
}

Block Critical Vulnerabilities

阻止严重漏洞

Deny deployment of artifacts with critical CVEs:
rego
package harness.artifact

deny[msg] {
  vuln := input.artifact.vulnerabilities[_]
  vuln.severity == "CRITICAL"
  msg := sprintf("Critical vulnerability %s found in artifact", [vuln.cve_id])
}
拒绝部署包含严重CVE的制品:
rego
package harness.artifact

deny[msg] {
  vuln := input.artifact.vulnerabilities[_]
  vuln.severity == "CRITICAL"
  msg := sprintf("Critical vulnerability %s found in artifact", [vuln.cve_id])
}

Enforce Approved Base Images

强制使用已批准的基础镜像

Restrict container images to approved base images:
rego
package harness.artifact

approved_bases := {"alpine", "distroless", "ubuntu"}

deny[msg] {
  not approved_bases[input.artifact.base_image]
  msg := sprintf("Base image '%s' is not in the approved list", [input.artifact.base_image])
}
限制容器镜像只能使用已批准的基础镜像:
rego
package harness.artifact

approved_bases := {"alpine", "distroless", "ubuntu"}

deny[msg] {
  not approved_bases[input.artifact.base_image]
  msg := sprintf("Base image '%s' is not in the approved list", [input.artifact.base_image])
}

Require Signed Artifacts

要求制品签名

Enforce artifact signing before deployment:
rego
package harness.artifact

deny[msg] {
  not input.artifact.signed
  msg := "Artifact must be signed before deployment"
}
强制制品在部署前必须完成签名:
rego
package harness.artifact

deny[msg] {
  not input.artifact.signed
  msg := "Artifact must be signed before deployment"
}

Related Resource Types

相关资源类型

Resource TypeOperationsDescription
scs_opa_policy
createCreate governance policies
scs_compliance_result
listCheck policy compliance status
artifact_security
list, getView artifact security posture
code_repo_security
list, getView repository security posture
scs_chain_of_custody
getVerify artifact provenance
资源类型操作描述
scs_opa_policy
create创建治理策略
scs_compliance_result
list检查策略合规状态
artifact_security
list, get查看制品安全态势
code_repo_security
list, get查看仓库安全态势
scs_chain_of_custody
get验证制品溯源信息

Rego Policy Reference Files

Rego策略参考文件

For writing Rego policies for any Harness entity, consult these reference files:
  • Rego writing guide and rules — Entity types, package names, Rego patterns, quality checklist
  • Pipeline policies and schema — Pipeline input schema, step/stage nesting, walk patterns
  • Feature Flag / FME policies — Feature flag, definition, FME environment, segment schemas
  • Service, Environment, Infrastructure — Service, env, infra schemas and examples
  • Security Tests policies — Security test output schema, severity/coverage checks
  • SBOM policies — SBOM deny/allow list patterns with semver comparison
  • Terraform and Workspace — Terraform plan, cost, state, workspace schemas
  • GitOps Application — GitOps app schema, namespace/label/revision policies
  • Code Repository — Code repo naming, visibility, branch policies
  • Variable policies — Variable schema, role-based restrictions
  • Override policies — Override schema, config file and variable protection
  • Connector policies — Connector schema, type/auth/naming restrictions
  • Secret policies — Secret schema, naming/type/provider restrictions
  • Template policies — Template schema, approval/versioning/environment checks
  • Database DevOps policies — SQL statement governance, DDL restrictions, transaction limits
  • Upstream Firewall — Firewall package schema, CVE/license policies
  • Advanced patterns — Exception handling, walk, scoped references, exemptions
如需为任意Harness实体编写Rego策略,请参考以下文件:
  • Rego编写指南与规则 — 实体类型、包名、Rego模式、质量检查清单
  • 流水线策略与Schema — 流水线输入Schema、步骤/阶段嵌套、遍历模式
  • 功能标志/FME策略 — 功能标志、定义、FME环境、分段Schema
  • 服务、环境、基础设施 — 服务、环境、基础设施Schema与示例
  • 安全测试策略 — 安全测试输出Schema、严重程度/覆盖率检查
  • SBOM策略 — SBOM拒绝/允许列表模式与语义化版本比较
  • Terraform与工作区 — Terraform计划、成本、状态、工作区Schema
  • GitOps应用 — GitOps应用Schema、命名空间/标签/版本策略
  • 代码仓库 — 代码仓库命名、可见性、分支策略
  • 变量策略 — 变量Schema、基于角色的限制
  • 覆盖策略 — 覆盖Schema、配置文件与变量保护
  • 连接器策略 — 连接器Schema、类型/认证/命名限制
  • 密钥策略 — 密钥Schema、命名/类型/提供商限制
  • 模板策略 — 模板Schema、审批/版本控制/环境检查
  • 数据库DevOps策略 — SQL语句治理、DDL限制、事务限制
  • 上游防火墙 — 防火墙包Schema、CVE/许可证策略
  • 高级模式 — 异常处理、遍历、作用域引用、豁免规则

Examples

示例

  • "Create a policy to block critical CVEs" -- Create OPA deny rule for critical severity
  • "Enforce SBOM generation for all artifacts" -- Create policy requiring SBOM presence
  • "Only allow approved base images" -- Create policy with allowed base image list
  • "Require artifact signing before production" -- Create policy checking signature status
  • "Require approval before production deployments" -- Pipeline policy with Approval stage check
  • "Enforce disallowPipelineExecutor on approval steps" -- Pipeline walk-based step check
  • "Block Terraform plans exceeding $100/month" -- Terraform plan cost policy
  • "Require feature flag descriptions" -- FME feature flag onsave policy
  • "Prevent GitOps deployments to kube-system" -- GitOps namespace restriction
  • "Check which artifacts violate our policies" -- List scs_compliance_result
  • "创建阻止严重CVE的策略" — 创建针对严重级别的OPA拒绝规则
  • "强制所有制品生成SBOM" — 创建要求存在SBOM的策略
  • "仅允许已批准的基础镜像" — 创建包含允许基础镜像列表的策略
  • "要求生产部署前制品必须签名" — 创建检查签名状态的策略
  • "要求生产部署前获得审批" — 包含审批阶段检查的流水线策略
  • "强制审批步骤禁用disallowPipelineExecutor" — 基于流水线遍历的步骤检查
  • "阻止月度成本超过100美元的Terraform计划" — Terraform计划成本策略
  • "要求功能标志添加描述" — FME功能标志onsave策略
  • "阻止向kube-system部署GitOps应用" — GitOps命名空间限制
  • "检查哪些制品违反了我们的策略" — 列出scs_compliance_result

Performance Notes

性能说明

  • Validate Rego syntax before submitting. Common issues: missing package declaration, deny rules without msg return.
  • Ensure the policy package name follows 
    package harness.<domain>
    convention.
  • Test policy logic mentally against expected inputs before creating.
  • 提交前验证Rego语法。常见问题:缺少包声明、拒绝规则未返回msg。
  • 确保策略包名遵循
    package harness.<domain>
    规范。
  • 创建前先在脑海中针对预期输入测试策略逻辑。

Troubleshooting

故障排除

Policy Not Enforcing

策略未生效

  • Policies are create-only via MCP -- verify the policy was created successfully
  • Check that the policy scope matches the target artifacts/repositories
  • Use 
    scs_compliance_result
    to verify the policy is being evaluated
  • 通过MCP只能创建策略——请验证策略是否创建成功
  • 检查策略范围是否与目标制品/仓库匹配
  • 使用
    scs_compliance_result
    验证策略是否正在被评估

Policy Syntax Errors

策略语法错误

  • OPA policies use Rego language -- validate syntax before submitting
  • Package names should follow 
    package harness.<domain>
    convention
  • Deny rules must return a 
    msg
    string explaining the violation
  • OPA策略使用Rego语言——提交前验证语法
  • 包名应遵循
    package harness.<domain>
    规范
  • 拒绝规则必须返回一个
    msg
    字符串来解释违规原因

Limitations

限制

  • MCP supports create-only for OPA policies (no list, update, or delete via MCP)
  • For managing existing policies, use the Harness UI under Supply Chain Assurance settings
  • Policies apply within the project scope where they are created
  • MCP仅支持OPA策略的创建操作(无法通过MCP进行列出、更新或删除)
  • 如需管理现有策略,请使用Harness UI中的供应链保障设置
  • 策略仅在其创建的项目范围内生效