INTERCEPT: Policy as Code Static Analysis Auditing

INTERCEPT

Stupidly easy to use, small footprint Policy as Code subsecond command-line scanner that leverages the power of the fastest multi-line search tool to scan your codebase. It can be used as a linter, guard rail control or simple data collector and inspector. Consider it a weaponized ripgrep. Works on Mac, Linux, and Windows.

How it works

• intercept binary
• policies yaml file
• (included) ripgrep binary
• (optional) exceptions yaml file

Intercept merges environment flags, policies yaml, exceptions yaml to generate a global config. Uses ripgrep to scan a target path for policy breaches recursively against your code and generates a human-readable detailed output of the findings.

Use cases

• Simple and powerful free drop-in alternative for Hashicorp Sentinel if you are more comfortable writing and maintaining regular expressions than using a new custom policy language.
• Do you find Open Policy Agent rego files too much sugar for your pipeline?
• Captures the patterns from git-secrets and trufflehog and can prevent sensitive information to run through your pipeline. (trufflehog regex)
• Identifies policy breach (files and line numbers), reports solutions/suggestions to its findings making it a great tool to ease onboarding developer teams to your unified deployment pipeline.
• Can enforce style-guides, coding-standards, best practices and also report on suboptimal configurations.
• Can collect patterns or high entropy data and output it in multiple formats.
• Anything you can crunch on a regular expression can be actioned on.

Download && Use

Copyright (C) 2020 xfhg