nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
regal-imports.mddocs/
Regal: Import Conventions
This document covers Regal rules related to import organization and style.
Relevant Regal rules:
prefer-package-imports— import the package, not individual rules from itredundant-alias— do not alias an import with the same name it already hasimport-after-rule— all imports must appear before any rule declarationsavoid-importing-input-data— do notimport inputorimport dataat the top level
Pattern: Import the Package, Not Rules
Import the package and use the alias to reference its rules.
# CORRECT: import the package
import data.lib.http_utils # → use as http_utils.is_valid_method(...)
import data.rbac.authz # → use as authz.allow# WRONG: importing individual rules (prefer-package-imports violation)
import data.lib.http_utils.is_valid_method
import data.rbac.authz.allowPattern: No Redundant Aliases
Don't alias an import to the same identifier it already has.
# CORRECT: no alias (last path segment is already the name)
import data.lib.helpers
import data.policies.authz
# CORRECT: alias only when renaming is meaningful
import data.very.long.package.name as short_name# WRONG: alias equals the last path segment (redundant-alias violation)
import data.lib.helpers as helpers # redundant
import data.policies.authz as authz # redundantPattern: Imports Before Rules
All imports must appear in the header section before any rules.
# CORRECT: all imports at the top
package myapp.policy
import rego.v1
import data.lib.helpers
import data.users
default allow := false
allow if helpers.is_admin(input.user)# WRONG: import after rule (import-after-rule violation)
package myapp.policy
import rego.v1
default allow := false
import data.lib.helpers # too late — must be before all rules
allow if helpers.is_admin(input.user)Pattern: Do Not Import Input or Data Directly
Avoid importing input or data at the top level — reference them directly in rules.
# WRONG: importing data or input (avoid-importing-input-data violation)
import input as req
import data.users as users_db
# CORRECT: reference directly
allow if {
some user in data.users
user.name == input.username
}Complete Example: Correct Import Structure
policy.rego:
package api.authz
import rego.v1
import data.lib.jwt_utils
import data.rbac.roles
default allow := false
allow if {
claims := jwt_utils.decode(input.token)
user_role := roles.user_role(claims.sub)
user_role in {"admin", "editor"}
}lib/jwt_utils.rego (the imported package):
package lib.jwt_utils
import rego.v1
decode(token) := claims if {
parts := split(token, ".")
claims := json.unmarshal(base64url.decode(parts[1]))
}policy_test.rego:
package api.authz_test
import rego.v1
import data.api.authz
test_allow_admin if {
authz.allow with input as {"token": "header.eyJzdWIiOiJhbGljZSJ9.sig"}
with data.rbac.roles as {"user_role": {"alice": "admin"}}
}docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31