Replies: 3 comments
-
|
I think we can have something like vet scan --use-default-policy |
Beta Was this translation helpful? Give feedback.
0 replies
-
What if we need to ship multiple policies? The problem with default policy is, its very hard to get right. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
How about we have a centralized report (frontend UI) of public or community maintained policy. And i can use then or add my own. vet scan --use-remote-policy @myorg/policyWe can provide some polices from our side as well vet scan --use-remote-policy @safedep/default |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
vethas been very opinionated to not be opinionated in its decision of risk so far. While it does a lot of things such as scanning source code, identify package dependencies, their usage in code, malicious packages etc. there is no in built (hardcoded) opinion on what is a threat and when to fail a scan. This opinion comes from policies written as Common Expressions Language (CEL).Users must write and feed policies (as code) to
vetto be able to use it as guardrails. Overtime we have received requests to support common policies out of box, such as opinionated defaults.We can consider having out of box policies that can be referenced instead of a custom policy file such as
vet scan --policy builtin:critical-set. In this example,vetwill leverage an internally defined policy namedcritical-setinstead of trying to look-up from file.Whats your thought and what is the desired user experience?
4 votes ·
Beta Was this translation helpful? Give feedback.
All reactions