{"id":15012142,"url":"https://github.com/microsoft/regorus","last_synced_at":"2026-01-31T02:19:49.783Z","repository":{"id":152162616,"uuid":"599724646","full_name":"microsoft/regorus","owner":"microsoft","description":"Regorus - A fast, lightweight Rego (OPA policy language) interpreter written in Rust.","archived":false,"fork":false,"pushed_at":"2025-04-14T02:43:54.000Z","size":1639,"stargazers_count":193,"open_issues_count":29,"forks_count":38,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-04-14T12:18:38.625Z","etag":null,"topics":["c","confidential-computing","cpp","csharp","golang","interpreter","java","javascript","no-std","opa","policy-as-code","python","rego","rust","wasm"],"latest_commit_sha":null,"homepage":"","language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/microsoft.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-09T18:46:41.000Z","updated_at":"2025-04-13T13:12:18.000Z","dependencies_parsed_at":"2023-12-17T02:30:26.830Z","dependency_job_id":"8775017f-9b26-4557-8f4c-e61db69d76dd","html_url":"https://github.com/microsoft/regorus","commit_stats":{"total_commits":251,"total_committers":15,"mean_commits":"16.733333333333334","dds":"0.36254980079681276","last_synced_commit":"c56da34843b7bb9dc42f0f938d35d2bba4d5b2c1"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fregorus","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fregorus/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fregorus/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/microsoft%2Fregorus/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/microsoft","download_url":"https://codeload.github.com/microsoft/regorus/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248877968,"owners_count":21176244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","confidential-computing","cpp","csharp","golang","interpreter","java","javascript","no-std","opa","policy-as-code","python","rego","rust","wasm"],"created_at":"2024-09-24T19:42:09.443Z","updated_at":"2026-01-31T02:19:49.775Z","avatar_url":"https://github.com/microsoft.png","language":"Open Policy Agent","readme":"# Regorus\n\n**Regorus** is\n\n  - *Rego*-*Rus(t)*  - A fast, light-weight [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/)\n    interpreter written in Rust.\n  - *Rigorous* - A rigorous enforcer of well-defined Rego semantics.\n\nRegorus is also\n  - *cross-platform* - Written in platform-agnostic Rust.\n  - *no_std compatible* - Regorus can be used in `no_std` environments too. Most of the builtins are supported.\n  - *current* - We strive to keep Regorus up to date with latest OPA release. Regorus defaults to `v1` of the Rego language.\n  - *compliant* - Regorus is mostly compliant with the latest [OPA release v1.2.0](https://github.com/open-policy-agent/opa/releases/tag/v1.2.0). See [OPA Conformance](#opa-conformance) for details. Note that while we behaviorally produce the same results, we don't yet support all the builtins.\n  - *extensible* - Extend the Rego language by implementing custom stateful builtins in Rust.\n    See [add_extension](https://github.com/microsoft/regorus/blob/fc68bf9c8bea36427dae9401a7d1f6ada771f7ab/src/engine.rs#L352).\n    Support for extensibility using other languages coming soon.\n  - *polyglot* - In addition to Rust, Regorus can be used from *C*, *C++*, *C#*, *Golang*, *Java*, *Javascript*, *Python*, and *Ruby*.\n    This is made possible by the excellent FFI tools available in the Rust ecosystem. See [bindings](#bindings) for information on how to use Regorus from different languages.\n\n    To try out a *Javascript(WASM)* compiled version of Regorus from your browser, visit [Regorus Playground](https://anakrish.github.io/regorus-playground/).\n\n\n\nRegorus is available as a library that can be easily integrated into your Rust projects.\nHere is an example of evaluating a simple Rego policy:\n\n```rust\nfn main() -\u003e anyhow::Result\u003c()\u003e {\n    // Create an engine for evaluating Rego policies.\n    let mut engine = regorus::Engine::new();\n\n    let policy = String::from(\n        r#\"\n       package example\n\n       allow if {\n          ## All actions are allowed for admins.\n          input.principal == \"admin\"\n       } else if {\n          ## Check if action is allowed for given user.\n          input.action in data.allowed_actions[input.principal]\n       }\n\t\"#,\n    );\n\n    // Add policy to the engine.\n    engine.add_policy(String::from(\"policy.rego\"), policy)?;\n\n    // Add data to engine.\n    engine.add_data(regorus::Value::from_json_str(\n        r#\"{\n     \"allowed_actions\": {\n        \"user1\" : [\"read\", \"write\"],\n        \"user2\" : [\"read\"]\n     }}\"#,\n    )?)?;\n\n    // Set input and evaluate whether user1 can write.\n    engine.set_input(regorus::Value::from_json_str(\n        r#\"{\n      \"principal\": \"user1\",\n      \"action\": \"write\"\n    }\"#,\n    )?);\n\n    let r = engine.eval_rule(String::from(\"data.example.allow\"))?;\n    assert_eq!(r, regorus::Value::from(true));\n\n    // Set input and evaluate whether user2 can write.\n    engine.set_input(regorus::Value::from_json_str(\n        r#\"{\n      \"principal\": \"user2\",\n      \"action\": \"write\"\n    }\"#,\n    )?);\n\n    let r = engine.eval_rule(String::from(\"data.example.allow\"))?;\n    assert_eq!(r, regorus::Value::Undefined);\n\n    Ok(())\n}\n```\n\nRegorus is designed with [Confidential Computing](https://confidentialcomputing.io/about/) in mind. In Confidential Computing environments,\nit is important to be able to control exactly what is being run. Regorus allows enabling and disabling various components using cargo\nfeatures. By default all features are enabled.\n\nThe default build of regorus example program is 6.3M:\n```bash\n$ cargo build -r --example regorus; strip target/release/examples/regorus; ls -lh target/release/examples/regorus\n-rwxr-xr-x  1 anand  staff   6.3M May 11 22:03 target/release/examples/regorus*\n```\n\n\nWhen all default features are disabled, the binary size drops down to 1.9M.\n```bash\n$ cargo build -r --example regorus --no-default-features; strip target/release/examples/regorus; ls -lh target/release/examples/regorus\n-rwxr-xr-x  1 anand  staff   1.9M May 11 22:04 target/release/examples/regorus*\n```\n\nRegorus passes the [OPA v1.2.0 test-suite](https://www.openpolicyagent.org/docs/latest/ir/#test-suite) barring a few\nbuiltins. See [OPA Conformance](#opa-conformance) below.\n\n## Bindings\n\nRegorus can be used from a variety of languages:\n\n- *C*: C binding is generated using [cbindgen](https://github.com/mozilla/cbindgen).\n  [corrosion-rs](https://github.com/corrosion-rs/corrosion) can be used to seamlessly use Regorous\n  in your CMake based projects. See [bindings/c](https://github.com/microsoft/regorus/tree/main/bindings/c).\n- *C freestanding*: [bindings/c_no_std](https://github.com/microsoft/regorus/tree/main/bindings/c_no_std) shows how to use Regorus from C environments without a libc.\n- *C++*: C++ binding is generated using [cbindgen](https://github.com/mozilla/cbindgen).\n  [corrosion-rs](https://github.com/corrosion-rs/corrosion) can be used to seamlessly use Regorous\n  in your CMake based projects. See [bindings/cpp](https://github.com/microsoft/regorus/tree/main/bindings/cpp).\n- *C#*: C# binding is generated using [csbindgen](https://github.com/Cysharp/csbindgen). See [bindings/csharp](https://github.com/microsoft/regorus/tree/main/bindings/csharp) for an example of how to build and use Regorus in your C# projects.\n- *Golang*: The C bindings are exposed to Golang via [CGo](https://pkg.go.dev/cmd/cgo). See [bindings/go](https://github.com/microsoft/regorus/tree/main/bindings/go) for an example of how to build and use Regorus in your Go projects.\n- *Python*: Python bindings are generated using [pyo3](https://github.com/PyO3/pyo3). Wheels are created using [maturin](https://github.com/PyO3/maturin). See [bindings/python](https://github.com/microsoft/regorus/tree/main/bindings/python).\n- *Java*: Java bindings are developed using [jni-rs](https://github.com/jni-rs/jni-rs).\n  See [bindings/java](https://github.com/microsoft/regorus/tree/main/bindings/java).\n- *Javascript*: Regorus is compiled to WASM using [wasmpack](https://github.com/rustwasm/wasm-pack).\n  See [bindings/wasm](https://github.com/microsoft/regorus/tree/main/bindings/wasm) for an example of using Regorus from nodejs.\n  To try out a *Javascript(WASM)* compiled version of Regorus from your browser, visit [Regorus Playground](https://anakrish.github.io/regorus-playground/).\n- *Ruby*: Ruby bindings are developed using [magnus](https://github.com/matsadler/magnus).\n  See [bindings/ruby](https://github.com/microsoft/regorus/tree/main/bindings/ruby).\n\nTo avoid operational overhead, we currently don't publish these bindings to various repositories.\nIt is straight-forward to build these bindings yourself.\n\n\n## Getting Started\n\n[examples/regorus](https://github.com/microsoft/regorus/blob/main/examples/regorus.rs) is an example program that\nshows how to integrate Regorus into your project and evaluate Rego policies.\n\nTo build and install it, do\n\n```bash\n$ cargo install --example regorus --path .\n```\n\nCheck that the regorus example program is working\n\n```bash\n$ regorus\nUsage: regorus \u003cCOMMAND\u003e\n\nCommands:\n  ast    Parse a Rego policy and dump AST\n  eval   Evaluate a Rego Query\n  lex    Tokenize a Rego policy\n  parse  Parse a Rego policy\n  help   Print this message or the help of the given subcommand(s)\n\nOptions:\n  -h, --help     Print help\n  -V, --version  Print version\n```\n\n\nFirst, let's evaluate a simple Rego expression `1*2+3`\n\n```bash\n$ regorus eval \"1*2+3\"\n```\n\nThis produces the following output\n\n```json\n{\n  \"result\": [\n    {\n      \"expressions\": [\n        {\n           \"value\": 5,\n           \"text\": \"1*2+3\",\n           \"location\": {\n              \"row\": 1,\n              \"col\": 1\n            }\n        }\n      ]\n    }\n  ]\n}\n```\n\nNext, evaluate a sample [policy](https://github.com/microsoft/regorus/blob/main/examples/server/allowed_server.rego) and [input](https://github.com/microsoft/regorus/blob/main/examples/server/input.json)\n(borrowed from [Rego tutorial](https://www.openpolicyagent.org/docs/latest/#2-try-opa-eval)):\n\n```bash\n$ regorus eval -d examples/server/allowed_server.rego -i examples/server/input.json data.example\n```\n\nFinally, evaluate real-world [policies](tests/aci/) used in Azure Container Instances (ACI)\n\n```bash\n$ regorus eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.policy.mount_overlay=x\n```\n\n## Policy coverage\n\nRegorus allows determining which lines of a policy have been executed using the `coverage` feature (enabled by default).\n\nWe can try it out using the `regorus` example program by passing in the `--coverage` flag.\n\n```shell\n$ regorus eval -d examples/server/allowed_server.rego -i examples/server/input.json data.example --coverage\n```\n\nIt produces the following coverage report which shows that all lines are executed except the line that sets `allow` to true.\n\n![coverage.png](https://github.com/microsoft/regorus/blob/main/docs/coverage.png?raw=true)\n\nSee [Engine::get_coverage_report](https://docs.rs/regorus/latest/regorus/struct.Engine.html#method.get_coverage_report) for details.\nPolicy coverage information is useful for debugging your policy as well as to write tests for your policy so that all\nlines of the policy are exercised by the tests.\n\n## ACI Policies\n\nRegorus successfully passes the ACI policy test-suite. It is fast and can run each of the tests in a few milliseconds.\n\n```bash\n$ cargo test -r --test aci\n    Finished release [optimized + debuginfo] target(s) in 0.05s\n    Running tests/aci/main.rs (target/release/deps/aci-2cd8d21a893a2450)\naci/mount_device                                  passed    3.863292ms\naci/mount_overlay                                 passed    3.6905ms\naci/scratch_mount                                 passed    3.643041ms\naci/create_container                              passed    5.046333ms\naci/shutdown_container                            passed    3.632ms\naci/scratch_unmount                               passed    3.631333ms\naci/unmount_overlay                               passed    3.609916ms\naci/unmount_device                                passed    3.626875ms\naci/load_fragment                                 passed    4.045167ms\n```\n\nRun the ACI policies in the `tests/aci` directory, using data `tests/aci/data.json` and input `tests/aci/input.json`:\n\n```bash\n$ regorus eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.policy.mount_overlay=x\n```\n\nVerify that [OPA](https://github.com/open-policy-agent/opa/releases) produces the same output\n\n```bash\n$ diff \u003c(regorus eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.framework.mount_overlay=x) \\\n       \u003c(opa eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.framework.mount_overlay=x)\n```\n\n\n## Performance\n\nTo check how fast Regorus runs on your system, first install a tool like [hyperfine](https://github.com/sharkdp/hyperfine).\n\n```bash\n$ cargo install hyperfine\n```\n\nThen benchmark evaluation of the ACI policies,\n\n```bash\n$ hyperfine \"regorus eval -b tests/aci -d tests/aci/data.json -i   tests/aci/input.json data.framework.mount_overlay=x\"\nBenchmark 1: regorus eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.framework.mount_overlay=x\n  Time (mean ± σ):       4.6 ms ±   0.2 ms    [User: 4.1 ms, System: 0.4 ms]\n  Range (min … max):     4.4 ms …   6.0 ms    422 runs\n```\n\nCompare it with OPA\n\n```bash\n$ hyperfine \"opa eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.framework.mount_overlay=x\"\nBenchmark 1: opa eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.json data.framework.mount_overlay=x\n  Time (mean ± σ):      45.2 ms ±   0.6 ms    [User: 68.8 ms, System: 5.1 ms]\n  Range (min … max):    43.8 ms …  46.7 ms    62 runs\n\n```\n\n## Contributor Workflow\n\nRegorus uses a small companion CLI under the `xtask` package to keep CI and local development in sync.\nThe commands mirror our GitHub Actions jobs, making it easy to dry-run CI steps before sending a pull request.\n\n- Run the full release pipeline with `cargo xtask ci-release` and the debug checks with `cargo xtask ci-debug`.\n- Exercise language bindings through focused helpers such as `cargo xtask test-java --release --frozen` or `cargo xtask test-go`.\n- Use `cargo xtask test-musl --release --frozen` for the cross-compilation matrix and `cargo xtask test-no-std` for embedded targets.\n- Formatting (`cargo xtask fmt`) and linting (`cargo xtask clippy --sarif`) wrap the usual Cargo tooling while matching CI defaults.\n\nThe workflows in `.github/workflows` invoke the same commands, so keeping local runs green is usually enough to satisfy the checks enforced on `main`.\n\n## OPA Conformance\n\nRegorus has been verified to be compliant with [OPA v1.2.0](https://github.com/open-policy-agent/opa/releases/tag/v1.2.0)\nusing a [test driver](https://github.com/microsoft/regorus/blob/main/tests/opa.rs) that loads and runs the OPA testsuite using Regorus, and verifies that expected outputs are produced.\n\nThe test driver can be invoked by running:\n\n```bash\n$ cargo test -r --test opa --features opa-testutil,serde_json/arbitrary_precision\n```\n\nCurrently, Regorus passes all the non-builtin specific tests.\nSee [passing tests suites](https://github.com/microsoft/regorus/blob/main/tests/opa.passing).\n\nThe following test suites don't pass fully due to missing builtins:\n- `globsmatch`\n- `graphql`\n- `invalidkeyerror`\n- `jsonpatch`\n- `jwtbuiltins`\n- `jwtdecodeverify`\n- `jwtencodesign`\n- `jwtencodesignheadererrors`\n- `jwtencodesignpayloaderrors`\n- `jwtencodesignraw`\n- `jwtverifyhs256`\n- `jwtverifyhs384`\n- `jwtverifyhs512`\n- `jwtverifyrsa`\n- `netcidrcontainsmatches`\n- `netcidrintersects`\n- `netcidrmerge`\n- `netcidroverlap`\n- `netlookupipaddr`\n- `providers-aws`\n- `regometadatachain`\n- `regometadatarule`\n- `regoparsemodule`\n- `rendertemplate`\n\nThey are captured in the following [github issues](https://github.com/microsoft/regorus/issues?q=is%3Aopen+is%3Aissue+label%3Alib).\n\nCryptographic builtins are not supported by design. Users that need cryptographic builtins are encouraged to use [extensions](https://docs.rs/regorus/latest/regorus/struct.Engine.html#method.add_extension).\n\n### Grammar\n\nThe grammar used by Regorus to parse Rego policies is described in [grammar.md](https://github.com/microsoft/regorus/blob/main/docs/grammar.md)\nin both [W3C EBNF](https://www.w3.org/Notation.html) and [RailRoad Diagram](https://en.wikipedia.org/wiki/Syntax_diagram) formats.\n\n\n## Contributing\n\nThis project welcomes contributions and suggestions.  Most contributions require you to agree to a\nContributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us\nthe rights to use your contribution. For details, visit \u003chttps://cla.opensource.microsoft.com\u003e.\n\nWhen you submit a pull request, a CLA bot will automatically determine whether you need to provide\na CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions\nprovided by the bot. You will only need to do this once across all repos using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).\nFor more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\ncontact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.\n\n## Trademarks\n\nThis project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft\ntrademarks or logos is subject to and must follow\n[Microsoft's Trademark \u0026 Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general).\nUse of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.\nAny use of third-party trademarks or logos are subject to those third-party's policies.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fregorus","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicrosoft%2Fregorus","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicrosoft%2Fregorus/lists"}