Guide public

Gate Deploys with Hosted Rego Guardrails

Add a lightweight CI step that sends deploy context to your tenant and gets an allow, warn, or deny decision back without self-hosting OPA. Audience: Platform engineers, release managers, and security engineers. Temps moyen de mise en place: 3 minutes.

Avant de commencer

Install the managed starter pack in Policies and keep it in advisory mode for the first rollout.
Create or reuse a tenant API key in Settings → API Keys for your CI system.
Identify the service ID, target environment, artifact name, and branch values your deploy pipeline already exposes.

Étapes

Étape 1

Install the managed starter pack in the tenant

Open the Policies console, keep the starter pack in advisory mode first, and tune thresholds before enforcing production blocks.

Open Policies in the dashboard and review Starter Deploy Guardrails.
Confirm environments, severity thresholds, freshness window, and fail-open or fail-closed behavior.
Run a simulation with a representative production payload before wiring CI.
Publish any tenant-specific custom Rego only after the draft validates cleanly.

Étape 2

Store the existing tenant API key in CI

The hosted decision API reuses the same tenant API key pattern as other machine-to-machine workflows, so no extra auth system is required.

Create or reuse a scoped API key in Settings → API Keys.
Store `SECPLATFORM_API_URL` and `SECPLATFORM_API_KEY` in your CI secret store.
Map service, environment, branch, artifact, and actor metadata from your pipeline variables.
Start with advisory rollout mode so warn outcomes surface without blocking releases.

Étape 3

Add the policy client job to your deploy pipeline

Run the policy client before the real deployment step. It posts the deploy request, prints reasons, and exits non-zero only when the final decision is deny.

Bootstrap the GitHub Actions or GitLab source bundle from this guide, then commit it to your repo.
Set `POLICY_SERVICE_ID`, `POLICY_TARGET_ENVIRONMENT`, and any optional repository or artifact fields.
Pass reviewer, ticket, or promotion metadata through `POLICY_CONTEXT_JSON` when your tenant policies expect it.
Place the job immediately before the production deploy so the decision reflects the current release candidate.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

GitHub Actions deploy gate

Writes `.github/workflows/deploy-guardrails.yml` with a hosted policy decision step that runs before production deploys.

.github/workflows/deploy-guardrails.yml

bash

bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/github-policy-guardrails.sh)

Download source

GitLab deploy gate job

Writes `.gitlab/deploy-guardrails.yml` with a reusable hosted policy decision job for production deployments.

.gitlab/deploy-guardrails.yml

bash

bash <(curl -fsSL https://stg-blackshield.chaplau.com/source-bundles/gitlab-policy-guardrails.sh)

Download source

Exécuter

One-shot policy decision from any shell

bash

docker run --rm \
  -e SECPLATFORM_API_URL=https://api.yourdomain.com \
  -e SECPLATFORM_API_KEY=sp_xxxx \
  -e POLICY_SERVICE_ID=payment-gateway \
  -e POLICY_TARGET_ENVIRONMENT=prod \
  -e POLICY_REPOSITORY=acme/payment-gateway \
  -e POLICY_ARTIFACT=ghcr.io/acme/payment-gateway:${GIT_SHA:-latest} \
  -e POLICY_BRANCH=main \
  -e POLICY_CONTEXT_JSON='{"reviewer":"release-manager","change_ticket":"CAB-2026-0321"}' \
  secplatform/policy-client:latest

GitHub Actions deploy gate

yaml

- name: Evaluate hosted deploy guardrails
  run: |
    docker run --rm \
      -e SECPLATFORM_API_URL="${{ vars.SECPLATFORM_API_URL }}" \
      -e SECPLATFORM_API_KEY="${{ secrets.SECPLATFORM_API_KEY }}" \
      -e POLICY_SERVICE_ID="payment-gateway" \
      -e POLICY_TARGET_ENVIRONMENT="prod" \
      -e POLICY_REPOSITORY="${{ github.repository }}" \
      -e POLICY_ARTIFACT="ghcr.io/acme/payment-gateway:${{ github.sha }}" \
      -e POLICY_COMMIT_SHA="${{ github.sha }}" \
      -e POLICY_BRANCH="${{ github.ref_name }}" \
      -e POLICY_ACTOR="${{ github.actor }}" \
      -e POLICY_CONTEXT_JSON='{"reviewer":"${{ github.actor }}","pipeline":"deploy-production"}' \
      secplatform/policy-client:latest

GitLab CI deploy gate

yaml

deploy-guardrails:
  stage: deploy
  image: secplatform/policy-client:latest
  script:
    - python -m policy.entrypoint
  variables:
    POLICY_SERVICE_ID: "payment-gateway"
    POLICY_TARGET_ENVIRONMENT: "prod"
    POLICY_REPOSITORY: "$CI_PROJECT_PATH"
    POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
    POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
    POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
    POLICY_ACTOR: "$GITLAB_USER_LOGIN"
    POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'

Vérifications de réussite

The policy client returns `allow` or `warn` for a healthy sample deploy and exits with code 0.
A seeded or simulated high-risk release returns `deny` and blocks the deploy stage with clear reasons.
Decision history in Policies records the request summary, matched policies, and final outcome.

Actions suivantes

Open Policies Open API Keys Deploy the Pipeline Scanner

Guides associés

Gate Deploys with Hosted Rego Guardrails | BlackShield Docs