7 dépôts
Portable engines for enforcing security and operational standards across cloud-native environments.
Distinct from Cloud Native Development Tools: Distinct from general development tools: focuses specifically on policy enforcement engines for cloud-native stacks.
Explore 7 awesome GitHub repositories matching devops & infrastructure · Policy Engines. Refine with filters or upvote what's useful.
This project is a unified, cloud-native policy engine designed to decouple authorization and security logic from application codebases. It functions as a centralized authorization service that evaluates structured input data against declarative rules, enabling consistent policy enforcement across microservices, infrastructure, and continuous integration pipelines. The engine utilizes a specialized logic programming language to express complex constraints, which are compiled into an optimized intermediate representation for high-performance evaluation. By supporting both sidecar-based deployme
Enforces security and operational standards across infrastructure, microservices, and CI/CD pipelines in cloud-native environments.
Kyverno is a Kubernetes policy engine and cloud native governance tool. It functions as a policy-as-code framework that validates, mutates, and generates resources to enforce security and governance standards within a cluster. The project distinguishes itself through a declarative policy model that utilizes native Kubernetes custom resource definitions, allowing policies to be managed as standard cluster objects without custom code. It provides specific security capabilities for container image verification and signature validation to ensure only trusted images are deployed. Its broader capa
Provides a portable engine for enforcing security and operational standards via validation, mutation, and generation of resources.
tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features
Enforces security best practices and operational standards across multiple cloud-native environments using a policy engine.
Cloud Custodian est un moteur de gouvernance multi-cloud et un outil d'application de politiques conçu pour automatiser la sécurité, la conformité et l'optimisation des coûts chez divers fournisseurs cloud. Il fonctionne comme un moteur de règles qui utilise un langage spécifique au domaine (DSL) déclaratif pour interroger les ressources cloud et exécuter des actions correctives basées sur des filtres prédéfinis. Le système fonctionne comme un orchestrateur de politiques serverless, déployant des fonctions spécifiques au fournisseur pour déclencher une application en temps réel en réponse aux changements de ressources cloud. Il fournit une abstraction de ressource agnostique au fournisseur pour maintenir des politiques opérationnelles cohérentes à travers plusieurs comptes, abonnements et projets. Ses capacités couvrent l'audit de l'infrastructure cloud, incluant l'analyse des actifs au sein des pipelines d'intégration continue et la génération de rapports de conformité. L'outil prend également en charge l'optimisation des coûts pour identifier et supprimer les ressources inutilisées et inclut un mode de simulation pour identifier les ressources affectées sans appliquer de changements réels.
Utilizes a declarative YAML-based domain specific language to define resource filters and corrective governance actions.
Cloud Custodian is an open-source rules engine that uses declarative YAML policies to query, filter, and take automated actions on cloud resources for governance and compliance. It functions as a stateless policy execution engine, where each policy evaluation runs as an independent, idempotent operation without maintaining internal state between runs. Policies are defined using a YAML-based domain-specific language that structures rules as a query-filter-action pipeline. The engine supports dry-run validation, allowing users to simulate policy actions against live resources without applying c
A policy engine that defines cloud resource management rules in YAML, enabling querying, filtering, and automated actions across accounts.
Goss est un outil de validation d'infrastructure et un framework de test utilisé pour vérifier que l'état actuel d'un serveur correspond à une configuration souhaitée. Il compare la sortie système en direct avec des spécifications YAML ou JSON pour valider des composants tels que les paquets, les services, les utilisateurs et les ports réseau. L'outil permet la génération automatisée de spécifications de test en capturant l'état existant d'un système. Il prend en charge divers environnements de déploiement via l'utilisation de modèles dynamiques et de fichiers de variables. Au-delà de la validation ponctuelle, le framework peut exécuter des tests avec réessai qui sondent la convergence de l'état jusqu'à ce qu'un délai d'attente soit atteint. Il fournit une observabilité en exposant les résultats de validation via des endpoints de santé HTTP et en exportant les résultats dans des formats standards pour l'intégration avec des outils de surveillance externes.
Utilizes a declarative YAML-based specification to query and validate the state of server packages, services, and ports.
Cerbos is an open-source authorization service that provides a centralized, language-agnostic engine for managing access control. It functions as a policy-as-code platform, allowing teams to define, test, and distribute authorization rules using declarative YAML or JSON configurations. By decoupling access logic from application code, it enables consistent permission enforcement across diverse service stacks. The project distinguishes itself through its ability to translate high-level authorization policies into native database query filters. This capability allows applications to enforce sec
Supports querying and retrieving specific policy and schema definitions with filtering, sorting, and output formatting.