7 repository-uri
Portable engines for enforcing security and operational standards across cloud-native environments.
Distinct from Cloud Native Development Tools: Distinct from general development tools: focuses specifically on policy enforcement engines for cloud-native stacks.
Explore 7 awesome GitHub repositories matching devops & infrastructure · Policy Engines. Refine with filters or upvote what's useful.
This project is a unified, cloud-native policy engine designed to decouple authorization and security logic from application codebases. It functions as a centralized authorization service that evaluates structured input data against declarative rules, enabling consistent policy enforcement across microservices, infrastructure, and continuous integration pipelines. The engine utilizes a specialized logic programming language to express complex constraints, which are compiled into an optimized intermediate representation for high-performance evaluation. By supporting both sidecar-based deployme
Enforces security and operational standards across infrastructure, microservices, and CI/CD pipelines in cloud-native environments.
Kyverno is a Kubernetes policy engine and cloud native governance tool. It functions as a policy-as-code framework that validates, mutates, and generates resources to enforce security and governance standards within a cluster. The project distinguishes itself through a declarative policy model that utilizes native Kubernetes custom resource definitions, allowing policies to be managed as standard cluster objects without custom code. It provides specific security capabilities for container image verification and signature validation to ensure only trusted images are deployed. Its broader capa
Provides a portable engine for enforcing security and operational standards via validation, mutation, and generation of resources.
tfsec is a static analysis tool and security scanner for infrastructure as code, specifically designed to detect misconfigurations and compliance violations in Terraform and cloud infrastructure definitions before deployment. It functions as a cloud security policy engine that identifies vulnerabilities across multiple cloud platforms. The tool provides capabilities for cloud compliance auditing and scanning of Cloud Development Kit code. It supports custom security policy enforcement and allows for the definition of organization-specific security requirements. The scanner includes features
Enforces security best practices and operational standards across multiple cloud-native environments using a policy engine.
Cloud Custodian is a multi-cloud governance engine and policy enforcement tool designed to automate security, compliance, and cost optimization across various cloud providers. It functions as a rules engine that uses a declarative domain specific language to query cloud resources and execute corrective actions based on predefined filters. The system operates as a serverless policy orchestrator, deploying provider-specific functions to trigger real-time enforcement in response to cloud resource changes. It provides a provider-agnostic resource abstraction to maintain consistent operational pol
Utilizes a declarative YAML-based domain specific language to define resource filters and corrective governance actions.
Cloud Custodian is an open-source rules engine that uses declarative YAML policies to query, filter, and take automated actions on cloud resources for governance and compliance. It functions as a stateless policy execution engine, where each policy evaluation runs as an independent, idempotent operation without maintaining internal state between runs. Policies are defined using a YAML-based domain-specific language that structures rules as a query-filter-action pipeline. The engine supports dry-run validation, allowing users to simulate policy actions against live resources without applying c
A policy engine that defines cloud resource management rules in YAML, enabling querying, filtering, and automated actions across accounts.
Goss este un instrument de validare a infrastructurii și un framework de testare utilizat pentru a verifica dacă starea curentă a unui server corespunde unei configurații dorite. Compară output-ul sistemului live cu specificațiile YAML sau JSON pentru a valida componente precum pachete, servicii, utilizatori și porturi de rețea. Instrumentul permite generarea automatizată a specificațiilor de testare prin capturarea stării existente a unui sistem. Suportă medii de implementare diverse prin utilizarea de template-uri dinamice și fișiere de variabile. Dincolo de validarea la un moment dat, framework-ul poate executa teste cu reîncercare care interoghează convergența stării până la atingerea unui timeout. Oferă observabilitate prin expunerea rezultatelor validării prin endpoint-uri de sănătate HTTP și exportul rezultatelor în formate standard pentru integrarea cu instrumente de monitorizare externe.
Utilizes a declarative YAML-based specification to query and validate the state of server packages, services, and ports.
Cerbos is an open-source authorization service that provides a centralized, language-agnostic engine for managing access control. It functions as a policy-as-code platform, allowing teams to define, test, and distribute authorization rules using declarative YAML or JSON configurations. By decoupling access logic from application code, it enables consistent permission enforcement across diverse service stacks. The project distinguishes itself through its ability to translate high-level authorization policies into native database query filters. This capability allows applications to enforce sec
Supports querying and retrieving specific policy and schema definitions with filtering, sorting, and output formatting.