{"id":19478125,"url":"https://github.com/snyk/custom-rules-examples","last_synced_at":"2025-06-26T16:09:57.736Z","repository":{"id":41354125,"uuid":"402476471","full_name":"snyk/custom-rules-examples","owner":"snyk","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-31T16:26:15.000Z","size":39,"stargazers_count":4,"open_issues_count":1,"forks_count":13,"subscribers_count":73,"default_branch":"main","last_synced_at":"2025-06-26T16:09:39.638Z","etag":null,"topics":["demo","infrastructure-as-code"],"latest_commit_sha":null,"homepage":"","language":"Open Policy Agent","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snyk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-09-02T15:44:05.000Z","updated_at":"2025-04-04T04:39:37.000Z","dependencies_parsed_at":"2024-05-29T16:50:54.134Z","dependency_job_id":"a0052ced-29fe-414a-b9f3-82fc826656e8","html_url":"https://github.com/snyk/custom-rules-examples","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/snyk/custom-rules-examples","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fcustom-rules-examples","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fcustom-rules-examples/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fcustom-rules-examples/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fcustom-rules-examples/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snyk","download_url":"https://codeload.github.com/snyk/custom-rules-examples/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk%2Fcustom-rules-examples/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262099744,"owners_count":23258671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["demo","infrastructure-as-code"],"created_at":"2024-11-10T19:47:13.108Z","updated_at":"2025-06-26T16:09:57.711Z","avatar_url":"https://github.com/snyk.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Snyk IaC Custom Rules Examples\n\nThis repo contains example custom rules for Snyk IaC. They were generated using [snyk-iac-rules](https://github.com/snyk/snyk-iac-rules) and [OPA Policy Language](https://www.openpolicyagent.org/docs/latest/policy-language/). To understand more about the custom rules, read through the [public documentation](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples).\n\nThe prerequisites to using the rules in this repo are:\n* Installing [snyk-iac-rules](https://github.com/snyk/snyk-iac-rules)\n* Installing [snyk](https://github.com/snyk/snyk)\n* Having Custom Rules enabled (for this, contact our team)\n\n## Content\n\nThe example rules in this repo include:\n1. [./rules/CUSTOM-RULE-1](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#example-of-a-simple-boolean-rule): A simple boolean rule that checks if a Terraform `aws_redshift_cluster` has an `owner` tag\n2. [./rules/CUSTOM-RULE-2](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#example-with-logical-and): A rule using logical AND that checks if a Terraform `aws_redshift_cluster` has both an `owner` tag and a `description` tag\n3. [./rules/CUSTOM-RULE-3](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#example-with-logical-or): A rule using logical OR that checks if a Terraform `aws_redshift_cluster` has at least an `owner` tag or a `description` tag\n4. [./rules/CUSTOM-RULE-4](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#example-with-strings): A rule using strings that checks if a Terraform `aws_redshift_cluster` has at least an `owner` tag or a `description` tag and the `owner` tag does not belong to the `@corp-domain.com` domain\n5. [./rules/CUSTOM-RULE-5](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#example-with-xor): A rule using XOR that checks if a Terraform `aws_redshift_cluster` has either an `owner` tag or a `serviceDescription` tag, depending on the `type`\n6. `./rules/CUSTOM-RULE-6`: A rule using grouped resources that checks if a Kubernetes RoleBinding configuration was defined on a set of namespaces configured in a denylist\n7. [./rules/CUSTOM-RULE-7](https://docs.snyk.io/products/snyk-infrastructure-as-code/custom-rules/getting-started-with-the-sdk/examples#examples-with-grouped-resources): A rule using grouped resources that checks if a Kubernetes ConfigMap configuration contains keys located in a denylist\n8. `./rules/CUSTOM-RULE-8`: A rule that flags up if an IAM Role is missing one of the required tags: `owner`, `description` or `type`\n9. `./rules/CUSTOM-RULE-9`: A rule that flags up if a Vendor or Service does not have at least an `owneralternate` or a `ticketgroup` tag\n10. `./rules/CUSTOM-RULE-10`: A rule that flags up if an IAM user is missing one of the required tags: `owner`, `description` or `type`\n\n## Usage\nThe existing rules can be:\n* tested using `snyk-iac-rules test`\n* built into a bundle using `snyk-iac-rules build`\n* verified locally using `snyk iac test --rules`\n* pushed to an OCI registry using `snyk-iac-rules push`\n\nAn example workflow for adding a new rule would involve:\n1. Templating the rule using `snyk-iac-rules template`\n2. Filling in the rule logic using Policy Language\n3. Testing the rules locally using `snyk-iac-rules test`\n4. Building the rules locally and testing them with `snyk iac test --rules=bundle.tar.gz`\n5. Opening a PR for a rule and letting the CI/CD run the tests, which block the PR from being merged if they fail\n6. Merging the PR once the PR check passes\n7. Waiting for the bundle to be published to an OCI registry\n8. Configuring a separate repo to use `snyk` together with the custom rules in this repo by configuring the following environment variables:\n```\nexport SNYK_CFG_OCI_REGISTRY_URL=\u003cOCI registry url without a protocol\u003e\nexport SNYK_CFG_OCI_REGISTRY_USERNAME=\u003cOCI registry username\u003e\nexport SNYK_CFG_OCI_REGISTRY_PASSWORD=\u003cOCI registry password\u003e\n```\n\n## CI/CD\n\nThere are two GitHub Actions configured for this repo:\n* One that tests the rules when PRs are opened\n* One that publishes the rules to an OCI registry when PRs are merged\n\nThe rules get published to a private DockerHub repository.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk%2Fcustom-rules-examples","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnyk%2Fcustom-rules-examples","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk%2Fcustom-rules-examples/lists"}