OPA Policy System¶
Mayo ASPM uses Open Policy Agent (OPA) with Rego policies for automated security decisions.
Policy Kinds¶
| Kind | Purpose | Output |
|---|---|---|
| Triage | Should this finding be actionable? | apply, suggested_status, filter_reasons |
| Priority | How important is this finding? | apply, priority, adjusted_severity, signals |
| Ownership | Who is responsible? | assignee, bug_component, confidence |
| Project | Which project does this belong to? | project_ids, create_projects |
| PR Scan | Should this block a PR? | action (block/alert/skip), comment |
How Policies Work¶
- After a scan completes, findings are ingested
- All enabled policies matching the scan's scope are evaluated
- Each finding passes through applicable policies
- Policy suggestions are stored on the finding
- Enforced policies automatically update finding status/priority
Policy Scoping¶
Policies can be scoped to:
- Organization — applies to all scans
- Repository — applies only to scans on a specific repo
- Project — applies only to findings in a specific project
Additionally, a scanner type filter can restrict a policy to specific scanner types (e.g., only SCA findings).
Multiple Policies¶
You can have multiple policies per kind. All matching policies are evaluated, and the highest-precedence policy wins for conflicting fields.
Evaluation Order¶
- Triage runs first (filters findings)
- Priority + Ownership + Project run in parallel on remaining findings
Managing Policies¶
- Policies overview: See all policies grouped by kind
- Per-kind pages: Create, edit, test policies for each kind
- Playground: Experiment with Rego and test against sample data
- Version history: Save snapshots and restore previous versions