Guía pública
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA. Audiencia: Platform engineers, release managers, and security engineers. Tiempo típico de configuración: 3 minutes.
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.
Writes `.github/workflows/deploy-guardrails.yml` with a hosted policy decision step that runs before production deploys.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-policy-guardrails.sh)Writes `.gitlab/deploy-guardrails.yml` with a reusable hosted policy decision job and the current platform API URL prefilled for production deployments.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-policy-guardrails.sh)docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e POLICY_SERVICE_ID=payment-gateway \
-e POLICY_TARGET_ENVIRONMENT=prod \
-e POLICY_REPOSITORY=acme/payment-gateway \
-e POLICY_ARTIFACT=ghcr.io/acme/payment-gateway:${GIT_SHA:-latest} \
-e POLICY_BRANCH=main \
-e POLICY_CONTEXT_JSON='{"reviewer":"release-manager","change_ticket":"CAB-2026-0321"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0- name: Evaluate hosted deploy guardrails
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e POLICY_SERVICE_ID="payment-gateway" \
-e POLICY_TARGET_ENVIRONMENT="prod" \
-e POLICY_REPOSITORY="${{ github.repository }}" \
-e POLICY_ARTIFACT="ghcr.io/acme/payment-gateway:${{ github.sha }}" \
-e POLICY_COMMIT_SHA="${{ github.sha }}" \
-e POLICY_BRANCH="${{ github.ref_name }}" \
-e POLICY_ACTOR="${{ github.actor }}" \
-e POLICY_CONTEXT_JSON='{"reviewer":"${{ github.actor }}","pipeline":"deploy-production"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0deploy-guardrails:
stage: deploy
image: public.ecr.aws/blackshield-security/policy-client:1.0.0
script:
- python -m policy.entrypoint
variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD -> Variables (masked)
POLICY_SERVICE_ID: "payment-gateway"
POLICY_TARGET_ENVIRONMENT: "prod"
POLICY_REPOSITORY: "$CI_PROJECT_PATH"
POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
POLICY_ACTOR: "$GITLAB_USER_LOGIN"
POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
Paso 1
Open the Policies console, keep the starter pack in advisory mode first, and tune thresholds before enforcing production blocks.
Cómo se ve el éxito
Publish any tenant-specific custom Rego only after the draft validates cleanly.
Paso 2
The hosted decision API reuses the same tenant API key pattern as other machine-to-machine workflows, so no extra auth system is required.
Cómo se ve el éxito
Start with advisory rollout mode so warn outcomes surface without blocking releases.
Paso 3
Run the policy client before the real deployment step. It posts the deploy request, prints reasons, and exits non-zero only when the final decision is deny.
Cómo se ve el éxito
Place the job immediately before the production deploy so the decision reflects the current release candidate.
Keep your rollout moving with the next recommended step.
Revisa y prioriza hallazgos