policy-as-code
Safeguard articles tagged "policy-as-code" — guides, analysis, and best practices for software supply chain and application security.
56 articles
How to write a custom Snyk IaC rule in Rego using the Rul...
A technical walkthrough of Snyk's IaC Rules SDK: scaffolding, writing Rego deny rules, local testing, bundling, and org-wide enforcement via OCI registries.
How Snyk IaC's Terraform Cloud run tasks gate infrastruct...
How Snyk IaC uses Terraform Cloud's run tasks to scan plan output and block infrastructure changes before apply — the mechanics, enforcement levels, and limits.
How Snyk IaC's custom rule SDK structures resource-attrib...
A technical look at how Snyk IaC's Rego-based SDK normalizes Terraform, CloudFormation, Kubernetes, and ARM into one resource-attribute query model.
How an organization's custom policy set overrides Snyk Ia...
How Snyk IaC's Rego-based custom rules layer onto, disable, or supplement default policies — and what that means for enforcing org-specific IaC standards.
How Snyk IaC detects overly permissive IAM policies in Te...
A mechanical walkthrough of how Snyk IaC parses Terraform and CloudFormation, normalizes IAM policies into one model, and flags wildcard actions, resources, and principals before deploy.
The .snyk Ignore File: How It Actually Works
Snyk ignore rules let teams suppress a finding without deleting it from history — here's how the .snyk file's syntax, expiry, and reason fields actually work in practice.
What is Continuous Compliance Monitoring
Continuous compliance monitoring replaces the annual audit scramble with automated, always-on checks that map live system evidence to control requirements.
OPA Gatekeeper for Kubernetes: Writing Policies That Actually Work
Gatekeeper brings OPA's policy engine to Kubernetes. The learning curve is steep but the flexibility is unmatched. Here is how to write, test, and deploy Rego policies that enforce real security.