Skip to content

feat(policies): allow custom builtin functions in Rego policies#2552

Merged
jiparis merged 12 commits intochainloop-dev:mainfrom
jiparis:PFM-781
Nov 16, 2025
Merged

feat(policies): allow custom builtin functions in Rego policies#2552
jiparis merged 12 commits intochainloop-dev:mainfrom
jiparis:PFM-781

Conversation

@jiparis
Copy link
Member

@jiparis jiparis commented Nov 15, 2025
edited
Loading

This PR adds extension capabilities to the Rego engine by using the builtins mechanism from OPA. Registering a new function is done through a call to builtins.Register with the builtin definition:

func RegisterHelloBuiltin() error {
	return Register(&ast.Builtin{
		Name: helloBuiltinName,
		Decl: types.NewFunction(
			types.Args(
				types.Named("name", types.S), // Digest to fetch
			),
			types.Named("response", types.A), // Response as object
		),
	}, getHelloImpl)
}

Implementation signature must be a topdown.BuiltinFunc. Check provided example and tests.

This call must be done before using the Rego engine, so ideally it should be done during package initialization (init()) or app initialization before instantiating Rego.

@jiparis
custom builtins for rego
30e03ed 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add hello builtin
e5d4404 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add example and some tests
89755e5 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix claude
965ceff 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
undo import change
633a358 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis
jiparis commented Nov 15, 2025
View reviewed changes
app/cli/internal/policydevel/eval.go
}

func craftMaterial(materialPath, materialKind string, logger *zerolog.Logger) (*v12.Attestation_Material, error) {
if fileNotExists(materialPath) {
Copy link
Member Author

@jiparis jiparis Nov 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be able to devel CONTAINER_IMAGE policies.

@jiparis
undo change
aa08f47 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
upgrade to opa/v1
f8baa9a 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
lint
c865b4d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri approved these changes Nov 15, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, see my comments, thanks!

@jiparis
fix coyright notice
479a242 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
refactor to use opa registry directly
a720e2a 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add skill
520022d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
fix comment
eb94f8b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit d4cc444 into chainloop-dev:main Nov 16, 2025
13 checks passed
@jiparis jiparis deleted the PFM-781 branch November 16, 2025 12:17
@jiparis jiparis mentioned this pull request Nov 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@Piskoo Piskoo Awaiting requested review from Piskoo

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jiparis @migmartri