公开指南
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA. 受众: Platform engineers, release managers, and security engineers. 典型配置时长: 3 minutes.
Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA.
Copy a working starter, run it in your environment, then come back here for the deeper rollout details.
Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.
Writes `.github/workflows/deploy-guardrails.yml` with a hosted policy decision step that runs before production deploys.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-policy-guardrails.sh)Writes `.gitlab/deploy-guardrails.yml` with a reusable hosted policy decision job and the current platform API URL prefilled for production deployments.
BLACKSHIELD_POLICY_IMAGE=public.ecr.aws/blackshield-security/policy-client:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-policy-guardrails.sh)docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e POLICY_SERVICE_ID=payment-gateway \
-e POLICY_TARGET_ENVIRONMENT=prod \
-e POLICY_REPOSITORY=acme/payment-gateway \
-e POLICY_ARTIFACT=ghcr.io/acme/payment-gateway:${GIT_SHA:-latest} \
-e POLICY_BRANCH=main \
-e POLICY_CONTEXT_JSON='{"reviewer":"release-manager","change_ticket":"CAB-2026-0321"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0- name: Evaluate hosted deploy guardrails
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e POLICY_SERVICE_ID="payment-gateway" \
-e POLICY_TARGET_ENVIRONMENT="prod" \
-e POLICY_REPOSITORY="${{ github.repository }}" \
-e POLICY_ARTIFACT="ghcr.io/acme/payment-gateway:${{ github.sha }}" \
-e POLICY_COMMIT_SHA="${{ github.sha }}" \
-e POLICY_BRANCH="${{ github.ref_name }}" \
-e POLICY_ACTOR="${{ github.actor }}" \
-e POLICY_CONTEXT_JSON='{"reviewer":"${{ github.actor }}","pipeline":"deploy-production"}' \
public.ecr.aws/blackshield-security/policy-client:1.0.0deploy-guardrails:
stage: deploy
image: public.ecr.aws/blackshield-security/policy-client:1.0.0
script:
- python -m policy.entrypoint
variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD -> Variables (masked)
POLICY_SERVICE_ID: "payment-gateway"
POLICY_TARGET_ENVIRONMENT: "prod"
POLICY_REPOSITORY: "$CI_PROJECT_PATH"
POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
POLICY_ACTOR: "$GITLAB_USER_LOGIN"
POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.
步骤 1
Open the Policies console, keep the starter pack in advisory mode first, and tune thresholds before enforcing production blocks.
What success looks like
Publish any tenant-specific custom Rego only after the draft validates cleanly.
步骤 2
The hosted decision API reuses the same tenant API key pattern as other machine-to-machine workflows, so no extra auth system is required.
What success looks like
Start with advisory rollout mode so warn outcomes surface without blocking releases.
步骤 3
Run the policy client before the real deployment step. It posts the deploy request, prints reasons, and exits non-zero only when the final decision is deny.
What success looks like
Place the job immediately before the production deploy so the decision reflects the current release candidate.
Keep your rollout moving with the next recommended step.
审查并确定发现优先级