Guia público
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA. Público: Platform engineers, release managers, and security engineers. Tempo típico de configuração: 3 minutes.
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Descarrega os ficheiros exatos usados neste guia ou executa o instalador de um só comando para os escrever localmente antes do deploy.
Writes `.github/workflows/deploy-guardrails.yml` with a hosted policy decision step that runs before production deploys.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-policy-guardrails.sh)Writes `.gitlab/deploy-guardrails.yml` with a reusable hosted policy decision job and the current platform API URL prefilled for production deployments.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-policy-guardrails.sh)docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e POLICY_SERVICE_ID=payment-gateway \
-e POLICY_TARGET_ENVIRONMENT=prod \
-e POLICY_REPOSITORY=acme/payment-gateway \
-e POLICY_ARTIFACT=ghcr.io/acme/payment-gateway:${GIT_SHA:-latest} \
-e POLICY_BRANCH=main \
-e POLICY_CONTEXT_JSON='{"reviewer":"release-manager","change_ticket":"CAB-2026-0321"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0- name: Evaluate hosted deploy guardrails
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e POLICY_SERVICE_ID="payment-gateway" \
-e POLICY_TARGET_ENVIRONMENT="prod" \
-e POLICY_REPOSITORY="${{ github.repository }}" \
-e POLICY_ARTIFACT="ghcr.io/acme/payment-gateway:${{ github.sha }}" \
-e POLICY_COMMIT_SHA="${{ github.sha }}" \
-e POLICY_BRANCH="${{ github.ref_name }}" \
-e POLICY_ACTOR="${{ github.actor }}" \
-e POLICY_CONTEXT_JSON='{"reviewer":"${{ github.actor }}","pipeline":"deploy-production"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0deploy-guardrails:
stage: deploy
image: public.ecr.aws/blackshield-security/policy-client:1.0.0
script:
- python -m policy.entrypoint
variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD -> Variables (masked)
POLICY_SERVICE_ID: "payment-gateway"
POLICY_TARGET_ENVIRONMENT: "prod"
POLICY_REPOSITORY: "$CI_PROJECT_PATH"
POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
POLICY_ACTOR: "$GITLAB_USER_LOGIN"
POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
Passo 1
Open the Policies console, keep the starter pack in advisory mode first, and tune thresholds before enforcing production blocks.
Como é o sucesso
Publish any tenant-specific custom Rego only after the draft validates cleanly.
Passo 2
The hosted decision API reuses the same tenant API key pattern as other machine-to-machine workflows, so no extra auth system is required.
Como é o sucesso
Start with advisory rollout mode so warn outcomes surface without blocking releases.
Passo 3
Run the policy client before the real deployment step. It posts the deploy request, prints reasons, and exits non-zero only when the final decision is deny.
Como é o sucesso
Place the job immediately before the production deploy so the decision reflects the current release candidate.
Keep your rollout moving with the next recommended step.
Rever e priorizar achados