• Stars
    star
    756
  • Rank 60,056 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A GitHub App that enforces approval policies on pull requests

policy-bot

Docker Pulls

policy-bot is a GitHub App for enforcing approval policies on pull requests. It does this by creating a status check, which can be configured as a required status check.

While GitHub natively supports required reviews, policy-bot provides more complex approval features:

  • Require reviews from specific users, organizations, or teams
  • Apply rules based on the files, authors, or branches involved in a pull request
  • Combine multiple approval rules with and and or conditions
  • Automatically approve pull requests that meet specific conditions

Behavior is configured by a file in each repository. policy-bot also provides a UI to view the detailed approval status of any pull request.

Configuration

Policies are defined by a .policy.yml file at the root of the repository. You can change this path and file name when running your own instance of the server.

  • The file is read from the most recent commit on the target branch of each pull request.

  • The file may contain a reference to a policy in a different repository (see Remote Policy Configuration.)

  • If the file does not exist in the repository, policy-bot tries to load a shared policy.yml file at the root of the .github repository in the same organization. You can change this path and repository name when running your own instance of the server.

  • If a policy does not exist in the repository or in the shared organization repository, policy-bot does not post a status check on the pull request. This means it is safe to enable policy-bot on all repositories in an organization.

policy.yml Specification

The overall policy is expressed by:

  • Lists of rule definitions
  • A set of policies that combine the rules or define additional options

Consider the following example, which allows changes to certain paths without review, but all other changes require review from the palantir/devtools. Any member of the palantir organization can also disapprove changes.

# the high level policy
policy:
  approval:
    - or:
      - the devtools team has approved
      - only staging files have changed
  disapproval:
    requires:
      organizations:
        - "palantir"

# the list of rules
approval_rules:
  - name: the devtools team has approved
    requires:
      count: 1
      teams:
        - "palantir/devtools"
  - name: only staging files have changed
    if:
      only_changed_files:
        paths:
          - "staging/.*"
    requires:
      count: 0

Notes on YAML Syntax

The YAML language specification supports flow scalars (basic values like strings and numbers) in three formats: single-quoted, double-quoted, and plain. Each support different escape characters, which can cause confusion when used for regex strings (which often contain the \\ character).

  • Single Quoted: ' is used as an escape character. Backslash characters do not need to be escaped. e.g. '^BREAKING CHANGE: (\w| )+$'
  • Double Quoted: \ is used as an escape character. Backslash characters must be escaped with a preceding \. e.g. "^BREAKING CHANGE: (\\w| )+$"
  • Plain: There are no escape characters. Backslash characters do not need to be escaped. e.g. ^BREAKING CHANGE: (\w| )+$

Remote Policy Configuration

You can also define a remote policy by specifying a repository, path, and ref (only repository is required). Instead of defining a policy key, you would define a remote key. Only 1 level of remote configuration is supported by design.

# The remote repository to read the policy file from. This is required, and must
# be in the form of "org/repo-name". The policy bot github app must have read
# access to this repository.
remote: org/repo-name

# The path to the policy config file in the remote repository. If none is
# specified, the default path in the server config is used.
path: path/to/policy.yml

# The branch (or tag, or commit hash) that should be used on the remote
# repository. If none is specified, the default branch of the repository is used.
ref: master

Approval Rules

Each list entry in approval_rules has the following specification:

# "name" is required, and is used to reference rules in the "policy" block
name: "example rule"

# "description" is optional and provides an explanation of the rule or
# additional help for users. Unlike YAML comments, it appears in the pull
# request details UI along with other information about the rule.
description: "A rule that explains how to configure all of the features"

# "if" specifies a set of predicates that must be true for the rule to apply.
# This block, and every condition within it are optional. If the block does not
# exist, the rule applies to every pull request.
if:
  # "changed_files" is satisfied if any file in the pull request matches any
  # regular expression in the "paths" list. If the "ignore" list is present,
  # files in the pull request matching these regular expressions are ignored
  # by this rule.
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  changed_files:
    paths:
      - "config/.*"
      - "server/views/.*\\.tmpl"
    ignore:
      - "config/special\\.file"

  # "only_changed_files" is satisfied if all files changed by the pull request
  # match at least one regular expression in the list.
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  only_changed_files:
    paths:
      - "config/.*"

  # "has_author_in" is satisfied if the user who opened the pull request is in
  # the users list or belongs to any of the listed organizations or teams. The
  # `users` field can contain a GitHub App by appending `[bot]` to the end of
  # the name, for example: `fun-github-app[bot]`
  has_author_in:
    users: ["user1", "user2", ...]
    organizations: ["org1", "org2", ...]
    teams: ["org1/team1", "org2/team2", ...]

  # "has_contributor_in" is satisfied if any commits on the pull request have
  # an author or committer in the users list or that belong to any of the
  # listed organizations or teams.
  has_contributor_in:
    users: ["user1", "user2", ...]
    organizations: ["org1", "org2", ...]
    teams: ["org1/team1", "org2/team2", ...]

  # "only_has_contributors_in" is satisfied if all of the commits on the pull
  # request have an author or committer in the users list or that belong to
  # any of the listed organizations or teams.
  only_has_contributors_in:
    users: ["user1", "user2", ...]
    organizations: ["org1", "org2", ...]
    teams: ["org1/team1", "org2/team2", ...]

  # "author_is_only_contributor", when true, is satisfied if all commits in the
  # pull request are authored by and committed by the user who opened the pull
  # request. When false, it is satisfied if at least one commit in the pull
  # request was authored or committed by another user.
  author_is_only_contributor: true

  # "targets_branch" is satisfied if the target branch of the pull request
  # matches the regular expression
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  targets_branch:
    pattern: "^(master|regexPattern)$"

  # "from_branch" is satisfied if the source branch of the pull request
  # matches the regular expression. Note that source branches from forks will
  # have the pattern "repo_owner:branch_name"
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  from_branch:
    pattern: "^(master|regexPattern)$"

  # "modified_lines" is satisfied if the number of lines added or deleted by
  # the pull request matches any of the listed conditions. Each expression is
  # an operator (one of '<' or '>'), an optional space, and a number.
  modified_lines:
    additions: "> 100"
    deletions: "> 100"
    total: "> 200"

  # "has_successful_status" is satisfied if the status checks that are specified
  # are marked successful on the head commit of the pull request.
  has_successful_status:
    - "status-name-1"
    - "status-name-2"
    - "status-name-3"

  # "has_labels" is satisfied if the pull request has the specified labels
  # applied
  has_labels:
    - "label-1"
    - "label-2"

  # "repository" is satisfied if the pull request repository matches any one of the
  # patterns within the "matches" list or does not match all of the patterns
  # within the "not_matches" list.
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  repository:
    matches:
      - "palantir/policy.*"
    not_matches:
      - "palantir/.*docs"

  # "title" is satisfied if the pull request title matches any one of the
  # patterns within the "matches" list or does not match all of the patterns
  # within the "not_matches" list.
  # e.g. this predicate triggers for titles including "BREAKING CHANGE" or titles
  # that are not marked as docs/style/chore changes (using conventional commits
  # formatting)
  #
  # Note: Double-quote strings must escape backslashes while single/plain do not.
  # See the Notes on YAML Syntax section of this README for more information.
  title:
    matches:
      - "^BREAKING CHANGE: (\\w| )+$"
    not_matches:
      - "^(docs|style|chore): (\\w| )+$"

  # "has_valid_signatures" is satisfied if the commits in the pull request
  # all have git commit signatures that have been verified by GitHub
  has_valid_signatures: true

  # "has_valid_signatures_by" is satisfied if the commits in the pull request
  # all have git commit signatures that have been verified by GitHub, and
  # the authenticated signatures are attributed to a user in the users list
  # or belong to a user in any of the listed organizations or teams.
  has_valid_signatures_by:
    users: ["user1", "user2", ...]
    organizations: ["org1", "org2", ...]
    teams: ["org1/team1", "org2/team2", ...]

  # "has_valid_signatures_by_keys" is satisfied if the commits in the pull request
  # all have git commit signatures that have been verified by GitHub, and
  # the authenticated signatures are attributed to a GPG key with an ID in the list.
  has_valid_signatures_by_keys:
    key_ids: ["3AA5C34371567BD2"]

# "options" specifies a set of restrictions on approvals. If the block does not
# exist, the default values are used.
options:
  # If true, approvals by the author of a pull request are considered when
  # calculating the status. False by default.
  allow_author: false

  # If true, the approvals of someone who has committed to the pull request are
  # considered when calculating the status. The pull request author is considered
  # a contributor. If allow_author and allow_contributor would disagree, this option
  # always wins. False by default.
  allow_contributor: false

  # If true, the approvals of someone who has committed to the pull request are
  # considered when calculating the status. In this case, pull request author is NOT
  # considered a contributor. If combined with any combination of allow_author: true
  # or allow_contributors: true, then the pull request author IS considered when
  # calculating approval. False by default.
  allow_non_author_contributor: false

  # If true, pushing new commits to a pull request will invalidate existing
  # approvals for this rule. False by default.
  invalidate_on_push: false

  # If true, comments on PRs, the PR Body, and review comments that have been edited in any way
  # will be ignored when evaluating approval rules. Default is false.
  ignore_edited_comments: false

  # If true, "update merges" do not invalidate approval (if invalidate_on_push
  # is enabled) and their authors/committers do not count as contributors. An
  # "update merge" is a merge commit that was created in the UI or via the API
  # and merges the target branch into the pull request branch. These are
  # commonly created by using the "Update branch" button in the UI.
  ignore_update_merges: false

  # If present, commits authored and committed by users meeting the conditions
  # are ignored for the purposes of approval. This means the users will not
  # count as contributors and their commits will not invalidate approval if
  # invalidate_on_push is enabled. Both the author and the committer must match
  # the conditions to ignore the commit. This option has security implications,
  # see the README for more details.
  ignore_commits_by:
    users: ["bulldozer[bot]"]
    organizations: ["org1"]
    teams: ["org1/team1"]

  # Automatically request reviewers when a Pull Request is opened
  # if this rule is pending, there are no assigned reviewers, and if the
  # Pull Request is not in Draft.
  # Reviewers are selected based on the set of requirements for this rule
  # and reviewers can be augmented using the mode option.
  request_review:
    # False by default
    enabled: true

    # mode modifies how reviewers are selected. `all-users` will request all users
    # who are able to approve the pending rule. `random-users` selects a small
    # set of random users based on the required count of approvals. `teams` will
    # request teams to review. Teams must have explicit access defined under
    # https://github.com/<org>/<repo>/settings/access in order to be tagged,
    # at least until https://github.com/palantir/policy-bot/issues/165 is fixed.
    # Defaults to 'random-users'.
    mode: all-users|random-users|teams

  # "methods" defines how users may express approval.
  methods:
    # If a comment contains a string in this list, it counts as approval. Use
    # the "comment_patterns" option if you want to match full comments. The
    # default values are shown.
    comments:
      - ":+1:"
      - "πŸ‘"

    # If a comment matches a regular expression in this list, it counts as
    # approval. Defaults to an empty list.
    #
    # Note: Double-quote strings must escape backslashes while single/plain do not.
    # See the Notes on YAML Syntax section of this README for more information.
    comment_patterns:
      - "^Signed-off by \\s+$"

    # If true, GitHub reviews can be used for approval. All GitHub review approvals
    # will be accepted as approval candidates. Default is true.
    github_review: true

    # Just like the "comment_patterns" option, but for GitHub reviews. Only GitHub
    # review approvals matching the included patterns will be accepted as
    # approval candidates. Defaults to an empty list.
    github_review_comment_patterns:
      - '\b(?i)domain\s*lgtm\b'

    # Just like the "comment_patterns" and "github_review_comment_patterns" option, but
    # for the PR Body description. If a PR body contains a string in this list, it counts as approval. Use
    # the "body_patterns" option if you want to match strings.
    body_patterns:
      - "\b(?i)no-platform"

# "requires" specifies the approval requirements for the rule. If the block
# does not exist, the rule is automatically approved.
requires:
  # "count" is the number of required approvals. The default is 0, meaning no
  # approval is necessary.
  count: 1

  # A user must be in the list of users or belong to at least one of the given
  # organizations or teams for their approval to count for this rule.
  users: ["user1", "user2"]
  organizations: ["org1", "org2"]
  teams: ["org1/team1", "org2/team2"]

  # A user must have at least the minimum permission in this list for their
  # approval to count for this rule. Valid permissions are "admin", "maintain",
  # "write", "triage", and "read".
  #
  # Specifying more than one permission is only useful to control which users
  # or teams are selected for review requests. See the documentation on review
  # requests for details.
  permissions: ["write"]

  # Deprecated: use 'permissions: ["admin"]'
  #
  # Allows approval by admins of the org or repository
  # admins: true

  # Deprecated: use 'permissions: ["write"]'
  #
  # Allows approval by users who have write on the repository
  # write_collaborators: true

Approval Policies

The approval block in the policy section defines a list of rules that must all be true:

policy:
  approval:
    - rule1
    - rule2
    - rule3
    - ...

Each list entry may be the name of a rule, or one of the following conjunctions:

or:
  - rule1
  - rule2
  - ...
and:
  - rule1
  - rule2
  - ...

Conjunctions can contain more conjunctions (up to a maximum depth of 5):

- or:
    - rule1
    - rule2
    - and:
        - rule3
        - rule4

Disapproval Policy

Disapproval allows users to explicitly block pull requests if certain changes must be made. Any member of in the set of allowed users can disapprove a change or revoke another user's disapproval.

Unlike approval, all disapproval predicates and options are specified as part of the policy. Effectively, there is a single disapproval rule. The disapproval policy has the following specification:

# "disapproval" is the top-level key in the policy block.
disapproval:
  # "if" specifies a set of predicates which will cause disapproval if any are
  # true
  #
  # This block, and every condition within it are optional. If the block does
  # not exist, a pull request is only disapproved if a user takes a disapproval
  # action.
  if:
    # All predicates from the approval rules section are valid here
    title:
      not_matches:
        - "^(fix|feat|chore): (\\w| )+$"
        - "^BREAKING CHANGE: (\\w| )+$"
      matches:
        - "^BLOCKED"

  # "options" sets behavior related to disapproval. If it does not exist, the
  # defaults shown below are used.
  options:
    # "methods" defines how users set and revoke disapproval.
    methods:
      # "disapprove" sets the methods for disapproval.
      disapprove:
        comments:
          - ":-1:"
          - "πŸ‘Ž"
        github_review: true

      # "revoke" sets the methods for revoking disapproval. Usually, these will
      # match the methods used by approval rules.
      revoke:
        comments:
          - ":+1:"
          - "πŸ‘"
        github_review: true

  # "requires" sets the users that are allowed to disapprove. If it is not set,
  # disapproval is not enabled.
  requires:
    users: ["user1", "user2"]
    organizations: ["org1", "org2"]
    teams: ["org1/team1", "org2/team2"]

Testing and Debugging Policies

Sometimes it is useful to test if a given policy file is valid, especially in a CI environment.

An API endpoint exists at /api/validate to validate the syntax of the yaml and policy configuration, however it cannot validate that the rules are semantically correct for a given use case.

The API can be used as such:

$ curl https://policybot.domain/api/validate -XPUT -T path/to/policy.yml
{"message":"failed to parse approval policy: failed to parse subpolicies for 'and': policy references undefined rule 'the devtools team has approved', allowed values: [the devtools team has]","version":"1.12.5"}

You can examine the HTTP response code to automatically detect failures

$ rcode=$(curl https://policybot.domain/api/validate -XPUT -T path/to/policy.yml -s -w "%{http_code}" -o /tmp/response)
$ if [[ "${rcode}" -gt 299 ]]; then cat /tmp/response && exit 1; fi

Caveats and Notes

There are several additional behaviors that follow from the rules above that are worth mentioning.

Disapproval is Disabled by Default

You must set at least one of the disapproval.requires fields to enable disapproval. Without setting one of these fields, GitHub reviews that request changes have no effect on the policy-bot status.

Interactions with GitHub Reviews

GitHub Reviews allow a user to dismiss the last review they left, causing it to no longer count towards rule evaluations. When this happens policy-bot will use a previous, non-dismissed review, if it exists, when evaluating rules.

For example, if a user leaves an "approval" review and follows up with a "request changes" review, policy-bot will use the "request changes" review when evaluating rules. However, if the user then dimisses their "request changes" review, policy-bot will instead use the initial "approval" review in evaluating any rules.

or, and, and if (Rule Predicates)

If the if block of a rule (the predicate) is not satisfied, the rule is marked as "skipped". Skipped rules interact with or and and as follows:

  • An and block containing only skipped rules is also skipped
  • An or block containing only skipped rules is also skipped

Effectively, skipped rules are treated as if they don't exist.

Cross-organization Membership Tests

policy-bot allows approval rules to reference organizations and teams that are not in the organization that owns the repository where the rules appear. In this case, policy-bot must be installed on all referenced organizations.

Update Merges

For a commit on a branch to count as an "update merge" for the purpose of the ignore_update_merges option, the following must be true:

  1. The commit must have exactly two parents
  2. The commit must have the committedViaWeb property set to true
  3. The first parent must exist in the pull request while the second parent must not exist in the pull request (meaning it is on the target branch)

These will all be true after updating a branch using the UI, but historic merges on long-running branches or merges created with the API may not be ignored. If this happens, you will need to reapprove the pull request.

This feature has security implications.

Automatically Requesting Reviewers

policy-bot can automatically request reviewers for all pending rules when Pull Requests are opened by setting the request_review option.

The mode enum modifies how reviewers are selected. There are currently three supported options:

  • all-users to request all users who can approve
  • random-users to randomly select the number of users that are required
  • teams to request teams for review. Teams must be repository collaborators with at least read access.
options:
  request_review:
    enabled: true
    mode: all-users|random-users|teams

The set of requested reviewers will not include the author of the pull request or users who are not collaborators on the repository.

When requesting reviews for rules that use repository permissions to select approvers, only users who are direct collaborators or members of repository teams are eligible for review selection. The users or their teams must be granted an exact permission specified in the permissions list of the rule.

For example, if a rule can be approved by any user with admin permission, only direct or team admins are selected for review. Users who inherit repository admin permissions as organization owners are not selected.

The teams mode needs the team visibility to be set to visibile to enable this functionality for a given team.

Example

Given the following example requirement rule,

  requires:
    count: 2
    users: ["user1", "user2"]
    organizations: ["org1", "org2"]
    teams: ["org1/team1", "org2/team2"]

policy-bot will attempt to request 2 reviewers randomly from the expanded set of users of in

["user1", "user2", "users in org1", "users in org2", "users in org1/team1", "users in org2/team"]

Where the Pull Request Author and any non direct collaborators have been removed from the set.

Invalidating Approval on Push

By default, policy-bot does not invalidate exisitng approvals when users add new commits to a pull request. You can control this behavior for each rule in a policy using the invalidate_on_push option.

To invalidate approvals, policy-bot compares an estimate of the push time of each commit with the time of each approval comment or review. The push time estimate uses the time of the oldest status check, or the current time during evaluation if there are no status checks. This is guaranteed to be after the actual push time, but the delay may be arbitrarily large based on GitHub webhook delivery behavior and processing time in policy-bot.

In practice, this means that adding an approval immediately after (within a few seconds of) a push may not approve the pull request. If this happens, leave a second approval comment or review after policy-bot adds the "pending" status check.

policy-bot caches push times in memory to improve performance and reduce API requests.

Older versions of policy-bot (before 1.31.0) used the pushedDate field in GitHub's GraphQL API to estimate commit push times. GitHub removed this field in mid-2023 because computing it was unreliable and inaccurate (see issue #598 for more details.)

Security

While policy-bot can be used to implement security controls on GitHub repositories, there are important limitations to be aware of before adopting this approach.

Status Checks

policy-bot reports approval status to GitHub using commit statuses. While statuses cannot be deleted, they can be set or overwritten by any user with write access to a repository. To prevent forged statuses, GitHub allows setting an expected source for a status check when making it a requirement on a protected branch. Policy Bot always should be set as the expect source for its checks.

For older versions of GitHub Enterprise that do not support expected sources for status checks, policy-bot contains an auditing feature to detect overwritten statuses. In addition to logging an audit event, it will replace the forged status with a failure. However, a well-timed attempt can still approve and merge a pull request before policy-bot can detect the problem. Organizations concerned about this case should monitor and alert on the relevant audit logs or minimize write access to repositories.

Comment Edits

GitHub users with sufficient permissions can edit the comments of other users, possibly changing an unrelated comment into one that enables approval. policy-bot also contains audting for this event, but as with statuses, a well-timed edit can approve and merge a pull request before policy-bot can detect the problem. Organizations concerned about this case can use the ignore_edited_comments option or can monitor and alert on the relevant audit logs.

This issue can also be minimized by only using GitHub reviews for approval, at the expense of removing the ability to self-approve pull requests.

Commit Users

GitHub associates commits with users by mapping the email address in a commit to email addresses associated with GitHub user accounts. policy-bot then uses the GitHub username to evaluate user-based rules and options. There are two failure modes in this process:

  1. If GitHub does not recognize either the author or committer email of a commit, policy-bot cannot evaluate the commit with respect to user-based rules and the commit is effectively ignored.

  2. If emails are manipulated when creating a commit, a user can trick GitHub and policy-bot into attributing the commit to a different user.

If using GitHub Enterprise, both of these issues are avoidable by using the commit-current-user-check pre-receive hook.

Update Merge Conflicts

When using the ignore_update_merges option, policy-bot cannot tell the difference between clean merges and merges that contain conflict resolution. This means that a user who carefully crafts a pull request to generate a conflict can use the web conflict editor to add unapproved changes to the file containing the conflict.

Depending on the author of the merge commits, it may be possible to avoid this issue by using the ignore_commits_by option in combination with the commit-current-user-check pre-receive hook.

Deployment

policy-bot is easy to deploy in your own environment as it has no dependencies other than GitHub. It is also safe to run multiple instances of the server, making it a good fit for container schedulers like Nomad or Kubernetes.

We provide both a Docker container and a binary distribution of the server:

A sample configuration file is provided at config/policy-bot.example.yml. Certain values may also be set by environment variables; these are noted in the comments in the sample configuration file. By default, the environment variables for server values are prefixed with POLICYBOT_ (e.g. POLICYBOT_PORT). This prefix can be overridden by setting the POLICYBOT_ENV_PREFIX environment variable.

GitHub App Configuration

To configure policy-bot as a GitHub App, set these options in GitHub:

  • Under Identifying and authorizing users
    • Set User authorization callback URL to http(s)://<your-policy-bot-domain>/api/github/auth
    • Uncheck Request user authorization (OAuth) during installation
  • Under Webhook
    • Set Webhook URL to http(s)://<your-policy-bot-domain>/api/github/hook
    • Set Webhook secret: A random string that matches the value of the github.app.webhook_secret property in the server configuration

The app requires these permissions:

Permission Access Reason
Repository contents Read-only Read configuration and commit metadata
Checks Read-only Read check run results
Repository administration Read-only Read admin team(s) membership
Issues Read-only Read pull request comments
Merge Queues Read-only Read repository merge queues
Repository metadata Read-only Basic repository data
Pull requests Read & write Receive pull request events, read metadata. Assign reviewers
Commit status Read & write Post commit statuses
Organization members Read-only Determine organization and team membership

The app should be subscribed to these events:

  • Check run
  • Issue comment
  • Merge groups
  • Pull request
  • Pull request review
  • Status

There is a logo.png provided if you'd like to use it as the GitHub application logo. The background color is #4d4d4d.

After creating the app, update the server configuration file with the following generated values:

  • App ID (github.app.integration_id)
  • Client ID (github.oauth.client_id)
  • Client secret (github.oauth.client_secret)
  • Private key (github.app.private_key)

Operations

policy-bot uses go-baseapp and go-githubapp, both of which emit standard metrics and structured log keys. Please see those projects for details.

Development

To develop policy-bot, you will need a Go installation. If you want to build the UI, you'll also need NodeJS and Yarn.

Run style checks and tests

./godelw verify

Running the server locally

# copy and edit the server config
cp config/policy-bot.example.yml config/policy-bot.yml

./godelw run policy-bot server
  • config/policy-bot.yml is used as the default configuration file
  • The server is available at http://localhost:8080/

Installing UI dependencies and building assets

# install dependencies
yarn install

# build CSS and JS assets
yarn run build
  • This generates a combined stylesheet with policy-bot styles and Tailwind core styles. It also copies JS files and other assets into the correct locations.

  • To use the local asset files with a local server, add or uncomment the following in the server configuration file:

    files:
      static: build/static
      templates: server/templates

Running the server via docker

# copy and edit the server config
cp config/policy-bot.example.yml config/policy-bot.yml

# build the docker image
./godelw docker build --verbose

docker run --rm -v "$(pwd)/config:/secrets/" -p 8080:8080 palantirtechnologies/policy-bot:latest
  • This will mount the path relative path config/ which should contain the modified config file policy-bot.yml
  • The server is available at http://localhost:8080/

Example Policy Files

Example policy files can be found in config/policy-examples

Contributing

Contributions and issues are welcome. For new features or large contributions, we prefer discussing the proposed change on a GitHub issue prior to a PR.

License

This library is made available under the Apache 2.0 License.

More Repositories

1

blueprint

A React-based UI toolkit for the web
TypeScript
19,885
star
2

tslint

🚦 An extensible linter for the TypeScript language
TypeScript
5,916
star
3

plottable

πŸ“Š A library of modular chart components built on D3
TypeScript
2,926
star
4

python-language-server

An implementation of the Language Server Protocol for Python
Python
2,579
star
5

windows-event-forwarding

A repository for using windows event forwarding for incident detection and response
Roff
1,215
star
6

pyspark-style-guide

This is a guide to PySpark code style presenting common situations and the associated best practices based on the most frequent recurring topics across the PySpark repos we've encountered.
Python
1,019
star
7

osquery-configuration

A repository for using osquery for incident detection and response
814
star
8

tslint-react

πŸ“™ Lint rules related to React & JSX for TSLint.
TypeScript
752
star
9

bulldozer

GitHub Pull Request Auto-Merge Bot
Go
742
star
10

gradle-docker

a Gradle plugin for orchestrating docker builds and pushes.
Groovy
723
star
11

alerting-detection-strategy-framework

A framework for developing alerting and detection strategies for incident response.
657
star
12

stacktrace

Stack traces for Go errors
Go
498
star
13

palantir-java-format

A modern, lambda-friendly, 120 character Java formatter.
Java
427
star
14

docker-compose-rule

A JUnit rule to manage docker containers using docker-compose
Java
422
star
15

conjure

Strongly typed HTTP/JSON APIs for browsers and microservices
Java
417
star
16

go-githubapp

A simple Go framework for building GitHub Apps
Go
342
star
17

eclipse-typescript

An Eclipse plug-in for developing in the TypeScript language.
JavaScript
340
star
18

gradle-git-version

a Gradle plugin that uses `git describe` to produce a version string.
Java
339
star
19

godel

Go tool for formatting, checking, building, distributing and publishing projects
Go
304
star
20

jamf-pro-scripts

A collection of scripts and extension attributes created for managing Mac workstations via Jamf Pro.
Shell
304
star
21

gradle-baseline

A set of Gradle plugins that configure default code quality tools for developers.
Java
283
star
22

gradle-graal

A plugin for Gradle that adds tasks to download, extract and interact with GraalVM tooling.
Java
227
star
23

log4j-sniffer

A tool that scans archives to check for vulnerable log4j versions
Go
192
star
24

tfjson

Terraform plan file to JSON
Go
181
star
25

k8s-spark-scheduler

A Kubernetes Scheduler Extender to provide gang scheduling support for Spark on Kubernetes
Go
175
star
26

Sysmon

A lightweight platform monitoring tool for Java VMs
Java
155
star
27

documentalist

πŸ“ A sort-of-static site generator optimized for living documentation of software projects
TypeScript
153
star
28

exploitguard

Documentation and supporting script sample for Windows Exploit Guard
PowerShell
148
star
29

typesettable

πŸ“ A typesetting library for SVG and Canvas
TypeScript
146
star
30

bouncer

An application to cycle (bounce) all nodes in a coordinated fashion in an AWS ASG or set of related ASGs
Go
129
star
31

gradle-consistent-versions

Compact, constraint-friendly lockfiles for your dependencies
Java
112
star
32

Cinch

A Java library that manages component action/event bindings for MVC patterns
Java
110
star
33

redoodle

An addon library for Redux that enhances its integration with TypeScript.
TypeScript
100
star
34

gradle-jacoco-coverage

Groovy
99
star
35

sqlite3worker

A threadsafe sqlite worker for Python
Python
94
star
36

phishcatch

A browser extension and API server for detecting corporate password use on external websites
CSS
90
star
37

python-jsonrpc-server

A Python 2 and 3 asynchronous JSON RPC server
Python
83
star
38

conjure-java-runtime

Opinionated libraries for HTTP&JSON-based RPC using Retrofit, Feign, OkHttp as clients and Jetty/Jersey as servers
Java
78
star
39

go-baseapp

A lightweight starting point for Go web servers
Go
72
star
40

stashbot

A plugin for Atlassian Stash to allow easy, self-service continuous integration with Jenkins
Java
67
star
41

stash-codesearch-plugin

Provides global repository, commit, and file content search for Atlassian Stash instances
Java
62
star
42

gradle-processors

Gradle plugin for integrating Java annotation processors
Groovy
62
star
43

go-java-launcher

A simple Go program for launching Java programs from a fixed configuration. This program replaces Gradle-generated Bash launch scripts which are susceptible to attacks via injection of environment variables of the form JAVA_OPTS='$(rm -rf /)'.
Go
59
star
44

pkg

A collection of stand-alone Go packages
Go
53
star
45

rust-zipkin

A library for logging and propagating Zipkin trace information in Rust
Rust
53
star
46

witchcraft-go-server

A highly opinionated Go embedded application server for RESTy APIs
Go
51
star
47

grunt-tslint

A Grunt plugin for tslint.
JavaScript
51
star
48

spark-influx-sink

A Spark metrics sink that pushes to InfluxDb
Scala
51
star
49

giraffe

Gracefully Integrated Remote Access For Files and Execution
Java
49
star
50

language-servers

[Deprecated and No longer supported] A collection of implementations for the Microsoft Language Server Protocol
Java
48
star
51

go-license

Go tool that applies and verifies that proper license headers are applied to Go files
Go
47
star
52

hadoop-crypto

Library for per-file client-side encyption in Hadoop FileSystems such as HDFS or S3.
Java
41
star
53

roboslack

A pluggable, fluent, straightforward Java library for interacting with Slack.
Java
39
star
54

tritium

Tritium is a library for instrumenting applications to provide better observability at runtime
Java
39
star
55

sls-packaging

A set of Gradle plugins for creating SLS-compatible packages
Shell
38
star
56

dropwizard-web-security

A Dropwizard bundle for applying default web security functionality
Java
37
star
57

goastwriter

Go library for writing Go source code programatically
Go
34
star
58

palantir-python-sdk

Palantir Python SDK
Python
33
star
59

gradle-gitsemver

Java
31
star
60

gradle-revapi

Gradle plugin that uses Revapi to check whether you have introduced API/ABI breaks in your Java public API
Java
29
star
61

checks

Go libraries and programs for performing static checks on Go projects
Go
29
star
62

dialogue

A client-side RPC library for conjure-java
Java
29
star
63

gradle-circle-style

πŸš€πŸš€πŸš€MOVED TO Baseline
Java
28
star
64

conjure-java

Conjure generator for Java clients and servers
Java
27
star
65

trove

Patched version of the Trove 3 library - changes the Collections semantics to match proper java.util.Map semantics
Java
27
star
66

atlasdb

Transactional Distributed Database Layer
Java
27
star
67

stylelint-config-palantir

Palantir's stylelint config
JavaScript
25
star
68

typedjsonrpc

A typed decorator-based JSON-RPC library for Python
Python
24
star
69

distgo

Go tool for building, distributing and publishing Go projects
Go
23
star
70

encrypted-config-value

Tooling for encrypting certain configuration parameter values in dropwizard apps
Java
22
star
71

typescript-service-generator

Java
21
star
72

streams

Utilities for working with Java 8 streams
Java
21
star
73

gradle-npm-run-plugin

Groovy
20
star
74

conjure-rust

Conjure support for Rust
Rust
20
star
75

conjure-python

Conjure generator for Python clients
Java
19
star
76

amalgomate

Go tool for combining multiple different main packages into a single program or library
Go
19
star
77

serde-encrypted-value

A crate which wraps Serde deserializers and decrypts values
Rust
19
star
78

gradle-docker-test-runner

Gradle plugin for running tests in Docker environments
Groovy
19
star
79

gradle-shadow-jar

Gradle plugin to precisely shadow either a dependency or its transitives
Groovy
19
star
80

tracing-java

Java library providing zipkin-like tracing functionality
Java
18
star
81

gerrit-ci

Plugin for Gerrit enabling self-service continuous integration workflows with Jenkins.
Java
18
star
82

gpg-tap-notifier-macos

Show a macOS notification when GPG is waiting for you to tap/touch a security device (e.g. YubiKey).
Swift
18
star
83

conjure-typescript

Conjure generator for TypeScript clients
TypeScript
17
star
84

plottable-moment

Plottable date/time formatting library built on Moment.js
JavaScript
16
star
85

spark-tpcds-benchmark

Utility for benchmarking changes in Spark using TPC-DS workloads
Java
16
star
86

assertj-automation

Automatic code rewriting for AssertJ using error-prone and refaster
Java
16
star
87

metric-schema

Schema for standard metric definitions
Java
14
star
88

safe-logging

Interfaces and utilities for safe log messages
Java
14
star
89

resource-identifier

Common resource identifier specification for inter-application object sharing
Java
14
star
90

dropwizard-web-logger

WebLoggerBundle is a Dropwizard bundle used to help log web activity to log files on a server’s backend
Java
14
star
91

gradle-miniconda-plugin

Plugin that sets up a Python environment for building and running tests using Miniconda.
Java
13
star
92

human-readable-types

A collection of human-readable types
Java
12
star
93

conjure-go-runtime

Go implementation of the Conjure runtime
Go
12
star
94

gulp-count

Counts files in vinyl streams.
CoffeeScript
12
star
95

palantir-r-sdk

Palantir R SDK
R
12
star
96

go-compiles

Go check that checks that Go source and tests compiles
Go
12
star
97

go-generate

Go tool that runs and verifies the output of go generate
Go
12
star
98

asana_mailer

A script that uses Asana's RESTful API to generate plaintext and HTML emails.
Python
12
star
99

ontology-starter-react-app

Example starter repo for building React applications on top of a Foundry Ontology
TypeScript
12
star
100

eclipse-less

An Eclipse plug-in for compiling LESS files.
Java
11
star