Create Custom Rules and Policies

Spotter allows you to add your own rules and policies to ensure all playbooks meet your specific needs, requirements and use cases. Spotter’s customizable checks enable you to follow regulations and standards, establish playbook standards, define modules and collections, enforce naming conventions, and limit required values on specific modules. See DEMO or read blog to learn more.

To define your custom rule or policy, simply upload the file/s via CLI, using Rego language, such as the example below:

  package play

  # Check if value of Name attribute starts with uppercase.
  SpotterPolicy[result] {
  &nbsnbsp;    task := input.tasks[i]
        task_args := task.task_args["amazon.aws.ec2_instancesecurity_group

    task_args = "default"
     result := {
        &nbsnbsp;       "correlation_id": task.task_id,
             &nbsnbsp;  "check_type": "TASK",
                 "message": "Instancshouldn't be in default security groups."
      }
  }



Policies are written in accordance with the Open Policy Agent (OPA) and they check Spotter’s extracted data from Ansible tasks or playbooks.

You’ll see the results along with all other check results, giving you an all-inclusive playbook scan that provides you with all essential information in one place.


  > spotter set-policies Policies
    Custom policies successfully set.
     > spotter scan playbook.yml
    Scanning...success. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
    ------------------------------------------------------------------------
    playbook.yml:7:7: ERROR: [E2300] Name value should start with uppercase letter.
    playbook.yml:7:7: ERROR: [E2300] Region should be set to europe (eu-...).
    playbook.yml:7:7: ERROR: [E2300::IncorrectValue] ec2_group.rules[0] SSH' (Port:22) should not be public.
    playbook.yml:7:7: ERROR: [E2300::IncorrectValue] ec2_group.rules[1] should not open the http port (80).
    playbook.yml:23:7: ERROR: [E2300] Instances should not be in default security groups.
    playbook.yml:23:7: ERROR: [E2300] Name value should end with a dot.
    playbook.yml:23:7: ERROR: [E2300] Volume size should be set to less then 128GB.
    playbook.yml:41:7: ERROR: [E2300] Name value should end with a dot.
    playbook.yml:47:7: HINT: [H1600] Tasks should always be named using the name parameter.
    playbook.yml:52:7: ERROR: [E2300] Access key should be written as a variable.
    ------------------------------------------------------------------------
    Spotter took 1.389 s to scan your input.
    It resulted in 9 error(s), 0 warning(s) and 1 hint(s).
    Overall status: ERROR
     >



You can upload one single policy, or a directory. You can also set the policyf or a project or the whole organization.

Single policy:
$ spotter set-policies policy.rego Copied!

A directory:
$ spotter set-policies Policies Copied!

Set policy for a specific project:
$ spotter set-policies --project-id <project-id> policy.rego Copied!

Set policy for the whole organization:
$ spotter set-policies --organization-id <organization-id> policy.rego Copied!

To clear policies:
$ spotter clear-policies Copied!

Still need help? Contact [email protected]
Get our monthly newsletter.

Something went wrong. Please try again later.

Please wait

Processing, please wait...

Thank you for subscribing!

You are now subscribed to our newsletter! You'll hear from us shortly.