دليل عام
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA. الجمهور: Platform engineers, release managers, and security engineers. وقت الإعداد المعتاد: 3 minutes.
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.
Writes `.github/workflows/deploy-guardrails.yml` with a hosted policy decision step that runs before production deploys.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-policy-guardrails.sh)Writes `.gitlab/deploy-guardrails.yml` with a reusable hosted policy decision job and the current platform API URL prefilled for production deployments.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-policy-guardrails.sh)docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e POLICY_SERVICE_ID=payment-gateway \
-e POLICY_TARGET_ENVIRONMENT=prod \
-e POLICY_REPOSITORY=acme/payment-gateway \
-e POLICY_ARTIFACT=ghcr.io/acme/payment-gateway:${GIT_SHA:-latest} \
-e POLICY_BRANCH=main \
-e POLICY_CONTEXT_JSON='{"reviewer":"release-manager","change_ticket":"CAB-2026-0321"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0- name: Evaluate hosted deploy guardrails
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e POLICY_SERVICE_ID="payment-gateway" \
-e POLICY_TARGET_ENVIRONMENT="prod" \
-e POLICY_REPOSITORY="${{ github.repository }}" \
-e POLICY_ARTIFACT="ghcr.io/acme/payment-gateway:${{ github.sha }}" \
-e POLICY_COMMIT_SHA="${{ github.sha }}" \
-e POLICY_BRANCH="${{ github.ref_name }}" \
-e POLICY_ACTOR="${{ github.actor }}" \
-e POLICY_CONTEXT_JSON='{"reviewer":"${{ github.actor }}","pipeline":"deploy-production"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0deploy-guardrails:
stage: deploy
image: public.ecr.aws/blackshield-security/policy-client:1.0.0
script:
- python -m policy.entrypoint
variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD -> Variables (masked)
POLICY_SERVICE_ID: "payment-gateway"
POLICY_TARGET_ENVIRONMENT: "prod"
POLICY_REPOSITORY: "$CI_PROJECT_PATH"
POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
POLICY_ACTOR: "$GITLAB_USER_LOGIN"
POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
الخطوة 1
Open the Policies console, keep the starter pack in advisory mode first, and tune thresholds before enforcing production blocks.
What success looks like
Publish any tenant-specific custom Rego only after the draft validates cleanly.
الخطوة 2
The hosted decision API reuses the same tenant API key pattern as other machine-to-machine workflows, so no extra auth system is required.
What success looks like
Start with advisory rollout mode so warn outcomes surface without blocking releases.
الخطوة 3
Run the policy client before the real deployment step. It posts the deploy request, prints reasons, and exits non-zero only when the final decision is deny.
What success looks like
Place the job immediately before the production deploy so the decision reflects the current release candidate.
Keep your rollout moving with the next recommended step.
مراجعة النتائج وتحديد الأولويات