{"id":13563798,"url":"https://github.com/cedar-policy/cedar","last_synced_at":"2026-04-23T18:02:07.988Z","repository":{"id":163485632,"uuid":"632518057","full_name":"cedar-policy/cedar","owner":"cedar-policy","description":"Implementation of the Cedar Policy Language","archived":false,"fork":false,"pushed_at":"2026-04-15T19:56:08.000Z","size":13904,"stargazers_count":1410,"open_issues_count":161,"forks_count":143,"subscribers_count":13,"default_branch":"main","last_synced_at":"2026-04-15T20:26:21.346Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.cedarpolicy.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cedar-policy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-25T15:13:59.000Z","updated_at":"2026-04-15T19:30:26.000Z","dependencies_parsed_at":"2025-11-28T09:03:29.476Z","dependency_job_id":null,"html_url":"https://github.com/cedar-policy/cedar","commit_stats":null,"previous_names":[],"tags_count":73,"template":false,"template_full_name":"amazon-archives/__template_Apache-2.0","purl":"pkg:github/cedar-policy/cedar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedar-policy%2Fcedar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedar-policy%2Fcedar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedar-policy%2Fcedar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedar-policy%2Fcedar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cedar-policy","download_url":"https://codeload.github.com/cedar-policy/cedar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedar-policy%2Fcedar/sbom","scorecard":{"id":1239388,"data":{"date":"2025-10-31T18:20:36Z","repo":{"name":"github.com/cedar-policy/cedar","commit":"65af948d3b57d23837d98346c47bcfa337555334"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":8.9,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/cargo_audit.yml:15","Info: topLevel permissions set to 'read-all': .github/workflows/build_and_test.yml:20","Info: topLevel permissions set to 'read-all': .github/workflows/build_downstream_deps.yml:7","Info: topLevel permissions set to 'read-all': .github/workflows/build_release.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/cargo_audit.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/ci.yml:9","Info: topLevel 'actions' permission set to 'read': .github/workflows/comment_pr.yml:5","Info: topLevel 'statuses' permission set to 'read': .github/workflows/comment_pr.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/comment_pr.yml:3","Info: topLevel permissions set to 'read-all': .github/workflows/nightly_build.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/nightly_build_downstream.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/run_integration_tests_reusable.yml:16","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: npmCommand not pinned by hash: .github/workflows/build_and_test.yml:168","Info:  22 out of  22 GitHub-owned GitHubAction dependencies pinned","Info:   4 out of   4 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":7,"reason":"SAST tool is not run on all commits -- score normalized to 7","details":["Warn: 21 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 17 contributing companies or organizations","details":["Info: found contributions from: Linbasta, amazon web services, aws, bytedeco, compiler-explorer, correctcomputation, dothemath-se, dotkom, inQWIRE, kframework, larsendigital, llvm, mandolin consulting ab, plum-umd, secure-foundations, strawberry-graphql, verifiedpermissions"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2025-10-31T20:22:49.693Z","repository_id":163485632,"created_at":"2025-10-31T20:22:49.694Z","updated_at":"2025-10-31T20:22:49.694Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32191873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T15:28:30.493Z","status":"ssl_error","status_checked_at":"2026-04-23T15:28:29.972Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T13:01:23.404Z","updated_at":"2026-04-23T18:02:07.975Z","avatar_url":"https://github.com/cedar-policy.png","language":"Rust","funding_links":[],"categories":["Rust","Security \u0026 Compliance"],"sub_categories":[],"readme":"# Cedar\n\n![Cedar Logo](./logo.svg)\n\n[![Crates.io](https://img.shields.io/crates/v/cedar-policy.svg)](https://crates.io/crates/cedar-policy)\n[![docs.rs](https://img.shields.io/docsrs/cedar-policy)](https://docs.rs/cedar-policy/latest/cedar_policy/)\n![nightly](https://github.com/cedar-policy/cedar/actions/workflows/nightly_build.yml/badge.svg)\n![nightly-deps](https://github.com/cedar-policy/cedar/actions/workflows/nightly_build_downstream.yml/badge.svg)\n![audit](https://github.com/cedar-policy/cedar/actions/workflows/cargo_audit.yml/badge.svg)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11398/badge)](https://www.bestpractices.dev/projects/11398)\n\nThis repository contains source code of the Rust crates that implement the [Cedar](https://www.cedarpolicy.com/) policy language.\n\nCedar is a language for writing and enforcing authorization policies in your applications. Using Cedar, you can write policies that specify your applications' fine-grained permissions. Your applications then authorize access requests by calling Cedar's authorization engine. Because Cedar policies are separate from application code, they can be independently authored, updated, analyzed, and audited. You can use Cedar's validator to check that Cedar policies are consistent with a declared schema which defines your application's authorization model.\n\nCedar is:\n\n### Expressive\n\nCedar is a simple yet expressive language that is purpose-built to support authorization use cases for common authorization models such as RBAC and ABAC.\n\n### Performant\n\nCedar is fast and scalable. The policy structure is designed to be indexed for quick retrieval and to support fast and scalable real-time evaluation, with bounded latency.\n\n### Analyzable\n\nCedar is designed for analysis using Automated Reasoning. This enables analyzer tools capable of optimizing your policies and proving that your security model is what you believe it is.\n\n## Using Cedar\n\nCedar can be used in your application by depending on the [`cedar-policy` crate](https://crates.io/crates/cedar-policy).\n\nJust add `cedar-policy` as a dependency by running\n\n```sh\ncargo add cedar-policy\n```\n\n## Crates in This Workspace\n\n* [cedar-policy](./cedar-policy) : Main crate for using Cedar to authorize access requests in your applications, and validate Cedar policies against a schema\n* [cedar-policy-symcc](./cedar-policy-symcc) : Crate containing the Cedar symbolic compiler, enabling verification of properties about your Cedar policies with concrete counterexamples\n* [cedar-policy-cli](./cedar-policy-cli) : Crate containing a simple command-line interface (CLI) for interacting with Cedar\n* [cedar-language-server](./cedar-language-server) : Contains the implementation for the Cedar Langauge Server\n* [cedar-wasm](./cedar-wasm) : Crate defining the wasm interface for Cedar, enabling use with JavaScript and TypeScript\n* [cedar-policy-core](./cedar-policy-core) : Internal crate containing the Cedar parser, evaluator, typechecker, and other core components\n* [cedar-policy-formatter](./cedar-policy-formatter) : Internal crate containing an auto-formatter for Cedar policies\n* [cedar-testing](./cedar-testing) : Internal crate containing integration testing code\n\n## Quick Start\n\nLet's put the policy in `policy.cedar` and the entities in `entities.json`.\n\n`policy.cedar`:\n\n```cedar\npermit (\n  principal == User::\"alice\",\n  action == Action::\"view\",\n  resource in Album::\"jane_vacation\"\n);\n```\n\nThis policy specifies that `alice` is allowed to view the photos in the `\"jane_vacation\"` album.\n\n`entities.json`:\n\n```json\n[\n    {\n        \"uid\": { \"type\": \"User\", \"id\": \"alice\"} ,\n        \"attrs\": {\"age\": 18},\n        \"parents\": []\n    },\n    {\n        \"uid\": { \"type\": \"Photo\", \"id\": \"VacationPhoto94.jpg\"},\n        \"attrs\": {},\n        \"parents\": [{ \"type\": \"Album\", \"id\": \"jane_vacation\" }]\n    },\n    {\n        \"uid\": { \"type\": \"Photo\", \"id\": \"SecretPhoto94.jpg\"},\n        \"attrs\": {},\n        \"parents\": [{ \"type\": \"Album\", \"id\": \"jane_secrets\" }]\n    }\n]\n\n```\n\nCedar represents principals, resources, and actions as entities. An entity has a type (e.g., `User`) and an id (e.g., `alice`). They can also have attributes (e.g., `User::\"alice\"`'s `age` attribute is the integer `18`).\n\nNow, let's test our policy with the CLI:\n\n```sh\n cargo run --bin cedar authorize \\\n    --policies policy.cedar \\\n    --entities entities.json \\\n    --principal 'User::\"alice\"' \\\n    --action 'Action::\"view\"' \\\n    --resource 'Photo::\"VacationPhoto94.jpg\"'\n```\n\nCLI output:\n\n```\nALLOW\n```\n\nThis request is allowed because `VacationPhoto94.jpg` belongs to `Album::\"jane_vacation\"`, and `alice` can view photos in `Album::\"jane_vacation\"`.\n\nLet's test out policy again with a photo that `alice` shouldn't have access:\n\n```sh\n cargo run --bin cedar authorize \\\n    --policies policy.cedar \\\n    --entities entities.json \\\n    --principal 'User::\"alice\"' \\\n    --action 'Action::\"view\"' \\\n    --resource 'Photo::\"SecretPhoto94.jpg\"'\n```\n\nCLI output:\n\n```\nDENY\n```\n\nThis request is denied because `SecretPhoto94.jpg` belongs to `Album::\"jane_secrets\"`, and `alice` doesn't have explicit permission to view photos from this Album. \n\nIf you'd like to see more details on what can be expressed as Cedar policies, see the [documentation](https://docs.cedarpolicy.com).\n\nExamples of how to use Cedar in an application are contained in the repository [cedar-examples](https://github.com/cedar-policy/cedar-examples). [TinyTodo](https://github.com/cedar-policy/cedar-examples/tree/main/tinytodo) is a simple task list management app whose users' requests, sent as HTTP messages, are authorized by Cedar. It shows how you can integrate Cedar into your own Rust program.\n\n## Documentation\n\nGeneral documentation for Cedar is available at [docs.cedarpolicy.com](https://docs.cedarpolicy.com), with source code in the [cedar-policy/cedar-docs](https://github.com/cedar-policy/cedar-docs/) repository.\n\nGenerated documentation for the latest version of the Rust crates can be accessed\n[on docs.rs](https://docs.rs/cedar-policy).\n\nIf you're looking to integrate Cedar into a production system, please be sure to read the [security best practices](https://docs.cedarpolicy.com/other/security.html)\n\n## Building\n\nTo build, simply run `cargo build` (or `cargo build --release`).\n\n## What's New\n\nWe maintain changelogs for our public-facing crates:\n[cedar-policy](https://github.com/cedar-policy/cedar/blob/main/cedar-policy/CHANGELOG.md) and\n[cedar-policy-cli](https://github.com/cedar-policy/cedar/blob/main/cedar-policy-cli/CHANGELOG.md).\nChangelogs for all release branches and the `main` branch are all maintained on\nthe `main` branch of this repository; you can see the most up-to-date changelogs\nby following the links above.\n\nFor a list of the current and past releases, see [crates.io](https://crates.io/crates/cedar-policy) or [Releases](https://github.com/cedar-policy/cedar/releases).\n\n## Backward Compatibility Considerations\n\nCedar is written in Rust and you will typically depend on Cedar via Cargo. Cargo makes sane choices for the majority of projects, but your needs may differ. If you don't want automatic updates to Cedar, then you can pin to a specific version in your `Cargo.toml`. For example:\n\n```toml\n[dependencies]\ncedar-policy = \"=2.4.2\"\n```\n\nNote that this is different from:\n\n```toml\n[dependencies]\ncedar-policy = \"2.4.2\"\n```\n\nWhich expresses that 2.4.2 is the minimum version of Cedar you accept, and you implicitly accept anything newer that is semver-compatible. See \u003chttps://doc.rust-lang.org/cargo/reference/specifying-dependencies.html\u003e.\n\n## Security\n\nSee [SECURITY](SECURITY.md) for more information.\n\n## Contributing\n\nWe welcome contributions from the community. Please either file an issue, or see [CONTRIBUTING](CONTRIBUTING.md)\n\n## License\n\nThis project is licensed under the Apache-2.0 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedar-policy%2Fcedar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedar-policy%2Fcedar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedar-policy%2Fcedar/lists"}