Create Custom Rules and Policies

Spotter allows you to add your own rules and policies to ensure all playbooks meet your specific needs, requirements and use cases. Spotter’s customizable checks enable you to follow regulations and standards, establish playbook standards, define modules and collections, enforce naming conventions, and limit required values on specific modules. See DEMO or read blog to learn more.

To define your custom rule or policy, simply upload the file/s via CLI, using Rego language, such as the example below:

  package play

  # Check if value of Name attribute starts with uppercase.
  SpotterPolicy[result] {
  &nbsnbsp;    task := input.tasks[i]
        task_args := task.task_args["

    task_args = "default"
     result := {
        &nbsnbsp;       "correlation_id": task.task_id,
             &nbsnbsp;  "check_type": "TASK",
                 "message": "Instancshouldn't be in default security groups."

Alternatively, you can set or clear policies within the Spotter app.

Policies are written in accordance with the Open Policy Agent (OPA) and they check Spotter’s extracted data from Ansible tasks or playbooks.

You’ll see the results along with all other check results, giving you an all-inclusive playbook scan that provides you with all essential information in one place.

  > spotter policies set Policies
    Custom policies successfully set.
     > spotter scan playbook.yml
    Scanning...success. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
    playbook.yml:7:7: ERROR: [E2300] Name value should start with uppercase letter.
    playbook.yml:7:7: ERROR: [E2300] Region should be set to europe (eu-...).
    playbook.yml:7:7: ERROR: [E2300::IncorrectValue] ec2_group.rules[0] SSH' (Port:22) should not be public.
    playbook.yml:7:7: ERROR: [E2300::IncorrectValue] ec2_group.rules[1] should not open the http port (80).
    playbook.yml:23:7: ERROR: [E2300] Instances should not be in default security groups.
    playbook.yml:23:7: ERROR: [E2300] Name value should end with a dot.
    playbook.yml:23:7: ERROR: [E2300] Volume size should be set to less then 128GB.
    playbook.yml:41:7: ERROR: [E2300] Name value should end with a dot.
    playbook.yml:47:7: HINT: [H1600] Tasks should always be named using the name parameter.
    playbook.yml:52:7: ERROR: [E2300] Access key should be written as a variable.
    Spotter took 1.389 s to scan your input.
    It resulted in 9 error(s), 0 warning(s) and 1 hint(s).
    Overall status: ERROR

You can upload one single policy, or a directory. You can also set the policyf or a project or the whole organization.

Single policy:
$ spotter policies set policy.rego Copied!

A directory:
$ spotter policies set Policies Copied!

Set policy for a specific project:
$ spotter policies set --project-id <project-id> policy.rego Copied!

Set policy for the whole organization:
$ spotter policies set --organization-id <organization-id> policy.rego Copied!

To clear policies:
$ spotter policies clear Copied!