Skip to main content

infraguard policy

Manage compliance policies.

Subcommands

list

List all available policies:

infraguard policy list

Filter the listing by policy type:

infraguard policy list --type rule
infraguard policy list --type pack

get

Get details of a specific policy:

infraguard policy get rule:aliyun:ecs-instance-no-public-ip
infraguard policy get pack:aliyun:mlps-level-3-pre-check-compliance-pack

update

Update the policy library:

infraguard policy update

new

Scaffold a new custom rule (Rego skeleton + test fixtures):

# Generate a rule for both ROS and Terraform
infraguard policy new ecs-instance-must-have-owner-tag \
--iac both --severity medium \
--resource-type ALIYUN::ECS::Instance \
--tf-resource-type alicloud_instance

# Generate a compliance pack skeleton
infraguard policy new --pack my-team-baseline

Generated files live under --dir (default ./policies) and can be used directly with infraguard scan -p ./policies <template> and infraguard policy test. See Authoring Custom Rules.

FlagDescriptionDefault
--iacTarget IaC: ros, terraform, or bothboth
--severityhigh, medium, or lowmedium
--resource-typeROS resource type (repeatable)
--tf-resource-typeTerraform resource type (repeatable)
--dirOutput root directory./policies
--name-en / --name-zhRule namerule ID
--desc-en / --desc-zhRule descriptionTODO
--no-testDo not generate test fixturesfalse
--forceOverwrite existing filesfalse
--packGenerate a pack skeleton with the given ID

test

Run behavior tests for rules using their fixtures:

infraguard policy test --dir ./policies
infraguard policy test --dir ./policies --rule my-rule --iac terraform
infraguard policy test --dir ./policies --format json

For each rule, fixtures under <dir>/testdata/aliyun/rules/<rule>/ are evaluated: compliant fixtures must produce no violations of the rule, and violation fixtures must produce at least one. Exit code is 0 when all cases pass, 1 on failure, and 2 when no fixtures are found (unless --allow-empty). See Testing Rules.

FlagDescriptionDefault
--dirRoot directory containing rules/ and testdata/./policies
--ruleOnly test the given rule ID (repeatable)all
--iacIaC to test: ros, terraform, or bothboth
--formatOutput format: table or jsontable
--allow-emptyExit 0 even when no fixtures are foundfalse

validate

Validate custom policies:

infraguard policy validate my-rule.rego
infraguard policy validate ./policies/ --lang zh

format

Format policy files:

infraguard policy format rule.rego
infraguard policy format rule.rego --write
infraguard policy format rule.rego --diff

clean

Clean user policy directory:

infraguard policy clean # Interactive mode with confirmation
infraguard policy clean --force # Skip confirmation
infraguard policy clean -f # Short flag

Removes all policies from ~/.infraguard/policies/. Does not affect embedded policies or workspace policies.

For more details, see Managing Policies.