Managing Policies

Learn how to discover, manage, and update policies in InfraGuard.

Listing Policies

List All Policies

View all available rules and packs:

infraguard policy list

This displays:

All built-in rules
All compliance packs
Custom policies (if any)

Filter by Provider

Currently, InfraGuard supports Aliyun policies. Future versions will support additional providers.

Policy Details

Get Rule Information

View detailed information about a specific rule:

infraguard policy get rule:aliyun:ecs-instance-no-public-ip

Output includes:

Rule ID and name
Severity level
Description
Reason for failure
Recommendation
Affected resource types

Get Pack Information

View compliance pack details:

infraguard policy get pack:aliyun:mlps-level-3-pre-check-compliance-pack

Output includes:

Pack ID and name
Description
List of included rules

Updating Policies

InfraGuard includes embedded policies, but you can also download the latest policy library:

infraguard policy update

This downloads policies to ~/.infraguard/policies/, which takes precedence over embedded policies.

Cleaning Policies

To remove downloaded policies from your user directory:

infraguard policy clean

This command:

Removes all policies from ~/.infraguard/policies/
Prompts for confirmation by default
Does not affect embedded policies (they remain available)
Does not affect workspace policies in .infraguard/policies/

Force Clean (No Confirmation)

For scripts or non-interactive environments:

infraguard policy clean --force
# or
infraguard policy clean -f

Policy Loading Priority

InfraGuard loads policies from three sources with the following priority (highest to lowest):

Workspace-local policies: .infraguard/policies/ (relative to current working directory)
User-local policies: ~/.infraguard/policies/
Embedded policies: Built into the binary (fallback)

Policies with the same ID from higher-priority sources override lower-priority ones. This allows:

Project-specific policies: Define custom rules in .infraguard/policies/ that are version-controlled with your project
User customizations: Override embedded policies globally via ~/.infraguard/policies/
Seamless fallback: Built-in policies work out of the box

Validating Custom Policies

Before using custom policies, validate them:

infraguard policy validate ./my-custom-rule.rego

This checks:

Rego syntax
Required metadata (rule_meta or pack_meta)
Proper deny rule structure

Validation Options

# Validate a single file
infraguard policy validate rule.rego

# Validate a directory
infraguard policy validate ./policies/

# Specify output language
infraguard policy validate rule.rego --lang zh

Formatting Policies

Format your policy files using OPA formatter:

# Show formatted output
infraguard policy format rule.rego

# Write changes back to file
infraguard policy format rule.rego --write

# Show diff of changes
infraguard policy format rule.rego --diff

Policy Organization

Built-in Policies

Located in the binary under:

policies/aliyun/rules/ - Individual rules
policies/aliyun/packs/ - Compliance packs
policies/aliyun/lib/ - Helper libraries

Custom Policies

Workspace-Local Policies (Project-Specific)

Store project-specific policies in your project directory:

.infraguard/policies/<provider>/rules/ - Project-specific rules
.infraguard/policies/<provider>/packs/ - Project-specific packs
.infraguard/policies/<provider>/lib/ - Project-specific helper libraries

These policies are automatically loaded when running InfraGuard commands from within the project directory and can be version-controlled alongside your IaC templates.

User-Local Policies (Global)

Store global custom policies in your home directory:

~/.infraguard/policies/<provider>/rules/ - Custom rules
~/.infraguard/policies/<provider>/packs/ - Custom packs
~/.infraguard/policies/<provider>/lib/ - Custom helper libraries

Common Compliance Packs

Security & Best Practices

pack:aliyun:security-group-best-practice - Security group configuration
pack:aliyun:resource-protection-best-practice - Resource protection
pack:aliyun:multi-zone-architecture-best-practice - High availability

Compliance Standards

pack:aliyun:mlps-level-2-pre-check-compliance-pack - MLPS Level 2
pack:aliyun:mlps-level-3-pre-check-compliance-pack - MLPS Level 3
pack:aliyun:iso-27001-compliance - ISO 27001
pack:aliyun:pci-dss-compliance - PCI DSS
pack:aliyun:soc2-audit-compliance - SOC 2

Quick Start

pack:aliyun:quick-start-compliance-pack - Essential security checks

Tips

Discover Policies: Use policy list to explore available policies
Start Small: Begin with quick-start-compliance-pack
Validate First: Always validate custom policies before using them
Keep Updated: Regularly run policy update for latest rules

Next Steps

Learn about Writing Rules
Explore the Policy Reference
Configure Settings

Listing Policies​

List All Policies​

Filter by Provider​

Policy Details​

Get Rule Information​

Get Pack Information​

Updating Policies​

Cleaning Policies​

Force Clean (No Confirmation)​

Policy Loading Priority​

Validating Custom Policies​

Validation Options​

Formatting Policies​

Policy Organization​

Built-in Policies​

Custom Policies​

Workspace-Local Policies (Project-Specific)​

User-Local Policies (Global)​

Common Compliance Packs​

Security & Best Practices​

Compliance Standards​

Quick Start​

Tips​

Next Steps​