Adopting the Rego policy language and the Open Policy Agent (OPA) engine for Fugue’s cloud security SaaS product has paid real dividends for us and our customers. It enables Fugue users to easily create custom policies for their cloud infrastructure environments using open source tools, and it’s helped us implement out-of-the-box policy as code support for complex compliance standards, including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, and SOC 2 (and our own Fugue Best Practices to identify advanced cloud misconfiguration risks).
But implementing vast policy libraries and running OPA at scale (the Fugue SaaS product performs more than 100 million policy evaluations every day) created some challenges that led us to develop new tooling to make it easier and faster to develop policies in the Rego language and run validations more quickly.
This week we open sourced the Fugue Rego Toolkit, or Fregot, to enhance the experience working with the Rego policy language (read about it at DevOps.com). Fregot enables developers to easily evaluate Rego expressions, debug code, and test policies.
You can think of Fregot as an alternative to OPA's built-in interpreter. Fregot provides error handling that is easy to understand and manage with step-by-step debugging. Additionally, Fregot speeds up the development feedback loop by watching Rego and input files for changes and enabling quick incremental loads. You can use Fregot to validate nearly any kind of JSON or YAML file against Rego policy.
- Just the Rego language implementation rather than the full OPA agent
- Useful tools to debug Rego queries and modules
- Enhanced error messages to aid in correcting Rego expressions
- Ease of extending and experimenting with new language features
You can find the Fregot open source project here on Github. We hope you find it useful, and let us know how it can become more so!
Josh Stella will be presenting on Fregot at the OPA Summit at KubeCon next week (November 18, 2019).
Fregot provides guided help for writing OPA policies
While you're here...
Fugue is cloud security for developers, by developers. We make tools that bake security into the entire system lifecycle on the cloud. We’d love to show you how.
Fugue Developer enables engineers to:
- Auto-generate visualization diagrams of cloud infrastructure and inspect resource configurations and relationships
- Identify cloud misconfiguration risks and policy violations at every stage of the SDLC and get rich feedback to quickly correct them
- Demonstrate cloud infrastructure compliance for common industry standards and custom enterprise policies
- Monitor changes to cloud infrastructure to understand the impact on the security and compliance posture of their environment
- Protect security-critical cloud resources with drift detection and automated remediation without the burdens of scripts and bots