Policy Issues¶
This guide covers common problems with OPA policies — from syntax errors to unexpected evaluation results.
Policy validation error on save¶
Symptom: Clicking "Save" produces a validation error.
Rego parse error¶
Common causes:
| Mistake | Wrong | Correct |
|---|---|---|
| Assignment operator | decision = "accept" |
decision := "accept" |
Missing if keyword |
decision := "accept" { ... } |
decision := "accept" if { ... } |
| Missing v1 import | (no import) | import rego.v1 |
| Unquoted strings | severity == critical |
severity == "critical" |
Rego compile error¶
Cause: Two rules produce different values for the same variable for the same input.
Fix: Make rules mutually exclusive:
# BAD: both match a critical finding in /test/
decision := "accept" if { input.finding.severity == "critical" }
decision := "reject" if { contains(input.finding.file_path, "/test/") }
# GOOD: add exclusion
decision := "accept" if {
input.finding.severity == "critical"
not contains(input.finding.file_path, "/test/")
}
decision := "reject" if {
contains(input.finding.file_path, "/test/")
}
Invalid package name¶
Fix: Ensure the package matches the policy kind:
| Kind | Package |
|---|---|
| Triage | package mayo.triage |
| Priority | package mayo.priority |
| Ownership | package mayo.ownership |
| Project | package mayo.project |
| PR Scan | package mayo.pr_scan |
Policy saved but not taking effect¶
Symptom: Policy is saved and active but findings aren't being triaged.
Checklist:
| Check | How |
|---|---|
| Is the policy active? | Policies list — look for the active toggle |
| Is the policy scoped correctly? | Policy > Scope tab — verify it covers the target project |
| Does the policy kind match? | A triage policy won't run during priority evaluation |
| Has re-evaluation been triggered? | New policies only apply to new findings unless you click Re-evaluate |
| Is another policy overriding it? | Check Effective Policies on the project |
Re-evaluation
Activating a policy does NOT retroactively apply it to existing findings. You must click Re-evaluate Triage (or the equivalent for other kinds) to apply the policy to existing data.
Policy produces wrong output¶
Symptom: Policy is active and evaluating, but the output is unexpected.
Debugging steps:
- Open the Policy Playground.
- Load the policy code.
- Load a real finding that produced the wrong output:
- Go to the finding's detail page.
- Click Copy Input JSON.
- Paste into the playground input panel.
- Click Evaluate.
- Enable Trace Mode to see step-by-step evaluation.
Common causes¶
| Symptom | Cause | Fix |
|---|---|---|
Output is empty {} |
No rule matched the input | Add a default value or check rule conditions |
| Output says "defer" when it should "accept" | Default value is being used | A rule's conditions aren't being met — check with trace |
| Wrong priority score | Arithmetic error | Print intermediate values in playground |
| Wrong owner assigned | Incorrect lookup table | Verify team IDs and asset names in the policy |
Policy conflict error during evaluation¶
Symptom: Finding shows "Policy evaluation error: conflicting rules".
Cause: Two policies or two rules within the same policy produced different values for the same output variable.
Solutions:
- Within one policy: Make rules mutually exclusive (add conditions to prevent overlap).
- Between policies: Check scoping — ensure only one policy of each kind applies at each scope level.
- Use
default: Provide a default value so unmatched cases don't conflict.
Policy not showing in effective policies view¶
Symptom: You created a policy but it doesn't appear in a project's Effective Policies.
Possible causes:
| Cause | Solution |
|---|---|
| Policy is inactive | Activate the policy |
| Policy is scoped to a different project | Check the policy's scope settings |
| A more specific policy overrides it | A project or sub-project policy of the same kind takes precedence |
Playground works but production doesn't¶
Symptom: Policy produces correct output in the playground but not when evaluating real findings.
Possible causes:
| Cause | Solution |
|---|---|
| Input structure differs from real data | Load a real finding in the playground instead of a template |
print() statements causing issues |
Remove print() statements — they're stripped in production but may affect evaluation order |
| Policy version mismatch | Ensure you saved and activated the latest version |
Next steps¶
- Rego guide — syntax reference
- Policy Playground — interactive debugging
- Policy best practices — avoid common pitfalls