{"id":"b7b46460-b596-4fba-95ad-13171d04dab6","shortId":"ZXeU6y","kind":"skill","title":"create-policy","tagline":">-","description":"# Create Policy\n\nCreate OPA governance policies for Harness Software Supply Chain Assurance (SCS) via MCP.\n\n## Instructions\n\n### Step 1: Identify Policy Requirements\n\nDetermine what the policy should enforce:\n- What entity type is the policy targeting? (pipeline, service, environment, feature flag, etc.)\n- What is the enforcement action (warn, deny)?\n- What scope should the policy apply to?\n- What action triggers the policy? (onrun, onsave, onstep, etc.)\n\n**For writing Rego policies**, consult `references/rego-writing-guide.md` for the complete Rego writing rules, entity types, package names, and common patterns. For entity-specific schemas and examples, see the entity reference files listed in that guide.\n\n### Step 2: Create the Policy\n\n```\nCall MCP tool: harness_create\nParameters:\n  resource_type: \"policy\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n  body: <policy definition>\n```\n\nOPA policies are managed under the `governance` toolset — `resource_type: \"policy\"` supports full CRUD (list, get, create, update, delete).\n\n### Step 3: Verify Compliance Results\n\nAfter a policy is created, check compliance status on artifacts or repositories:\n\n```\nCall MCP tool: harness_list\nParameters:\n  resource_type: \"scs_compliance_result\"\n  org_id: \"<organization>\"\n  project_id: \"<project>\"\n```\n\n## Common Policy Patterns\n\n### Require SBOM Generation\n\nEnforce that all artifacts have an SBOM before deployment:\n\n```rego\npackage harness.artifact\n\ndeny[msg] {\n  not input.artifact.sbom\n  msg := \"Artifact must have an SBOM before deployment\"\n}\n```\n\n### Block Critical Vulnerabilities\n\nDeny deployment of artifacts with critical CVEs:\n\n```rego\npackage harness.artifact\n\ndeny[msg] {\n  vuln := input.artifact.vulnerabilities[_]\n  vuln.severity == \"CRITICAL\"\n  msg := sprintf(\"Critical vulnerability %s found in artifact\", [vuln.cve_id])\n}\n```\n\n### Enforce Approved Base Images\n\nRestrict container images to approved base images:\n\n```rego\npackage harness.artifact\n\napproved_bases := {\"alpine\", \"distroless\", \"ubuntu\"}\n\ndeny[msg] {\n  not approved_bases[input.artifact.base_image]\n  msg := sprintf(\"Base image '%s' is not in the approved list\", [input.artifact.base_image])\n}\n```\n\n### Require Signed Artifacts\n\nEnforce artifact signing before deployment:\n\n```rego\npackage harness.artifact\n\ndeny[msg] {\n  not input.artifact.signed\n  msg := \"Artifact must be signed before deployment\"\n}\n```\n\n## Related Resource Types\n\n| Resource Type | Operations | Description |\n|--------------|-----------|-------------|\n| `policy` | list, get, create, update, delete | OPA governance policies (governance toolset) |\n| `policy_set` | list, get, create, update, delete | Group policies with enforcement actions |\n| `policy_evaluation` | list, get | View policy evaluation results |\n| `scs_compliance_result` | list | Check SCS policy compliance status |\n| `artifact_security` | list, get | View artifact security posture |\n| `code_repo_security` | list, get | View repository security posture |\n| `scs_chain_of_custody` | get | Verify artifact provenance |\n\n## Rego Policy Reference Files\n\nFor writing Rego policies for any Harness entity, consult these reference files:\n\n- [Rego writing guide and rules](references/rego-writing-guide.md) — Entity types, package names, Rego patterns, quality checklist\n- [Pipeline policies and schema](references/entity-pipeline.md) — Pipeline input schema, step/stage nesting, walk patterns\n- [Feature Flag / FME policies](references/entity-feature-flag.md) — Feature flag, definition, FME environment, segment schemas\n- [Service, Environment, Infrastructure](references/entity-service-env-infra.md) — Service, env, infra schemas and examples\n- [Security Tests policies](references/entity-security-tests.md) — Security test output schema, severity/coverage checks\n- [SBOM policies](references/entity-sbom.md) — SBOM deny/allow list patterns with semver comparison\n- [Terraform and Workspace](references/entity-terraform.md) — Terraform plan, cost, state, workspace schemas\n- [GitOps Application](references/entity-gitops.md) — GitOps app schema, namespace/label/revision policies\n- [Code Repository](references/entity-code-repository.md) — Code repo naming, visibility, branch policies\n- [Variable policies](references/entity-variable.md) — Variable schema, role-based restrictions\n- [Override policies](references/entity-override.md) — Override schema, config file and variable protection\n- [Connector policies](references/entity-connector.md) — Connector schema, type/auth/naming restrictions\n- [Secret policies](references/entity-secret.md) — Secret schema, naming/type/provider restrictions\n- [Template policies](references/entity-template.md) — Template schema, approval/versioning/environment checks\n- [Database DevOps policies](references/entity-database.md) — SQL statement governance, DDL restrictions, transaction limits\n- [Upstream Firewall](references/entity-upstream-firewall.md) — Firewall package schema, CVE/license policies\n- [Advanced patterns](references/advanced-patterns.md) — Exception handling, walk, scoped references, exemptions\n\n## Examples\n\n- \"Create a policy to block critical CVEs\" -- Create OPA deny rule for critical severity\n- \"Enforce SBOM generation for all artifacts\" -- Create policy requiring SBOM presence\n- \"Only allow approved base images\" -- Create policy with allowed base image list\n- \"Require artifact signing before production\" -- Create policy checking signature status\n- \"Require approval before production deployments\" -- Pipeline policy with Approval stage check\n- \"Enforce disallowPipelineExecutor on approval steps\" -- Pipeline walk-based step check\n- \"Block Terraform plans exceeding $100/month\" -- Terraform plan cost policy\n- \"Require feature flag descriptions\" -- FME feature flag onsave policy\n- \"Prevent GitOps deployments to kube-system\" -- GitOps namespace restriction\n- \"Check which artifacts violate our policies\" -- List scs_compliance_result\n\n## Performance Notes\n\n- Validate Rego syntax before submitting. Common issues: missing package declaration, deny rules without msg return.\n- Ensure the policy package name follows `package harness.<domain>` convention.\n- Test policy logic mentally against expected inputs before creating.\n\n## Troubleshooting\n\n### Policy Not Enforcing\n- Verify the policy was created successfully (list via `resource_type: \"policy\"`)\n- Policies must be attached to a `policy_set` with an enforcement action (warn/deny) before they fire\n- Check that the policy scope matches the target artifacts/repositories\n- Use `scs_compliance_result` or `policy_evaluation` to verify the policy is being evaluated\n\n### Policy Syntax Errors\n- OPA policies use Rego language -- validate syntax before submitting\n- Package names should follow `package harness.<domain>` convention\n- Deny rules must return a `msg` string explaining the violation\n\n### Limitations\n- Policies apply within the project scope where they are created\n- Attach policies to a `policy_set` to activate enforcement","tags":["create","policy","harness","skills","agent-skills","agents"],"capabilities":["skill","source-harness","skill-create-policy","topic-agent-skills","topic-agents"],"categories":["harness-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/harness/harness-skills/create-policy","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add harness/harness-skills","source_repo":"https://github.com/harness/harness-skills","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 15 github stars · SKILL.md body (6,985 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:06:29.542Z","embedding":null,"createdAt":"2026-05-09T01:05:28.194Z","updatedAt":"2026-05-18T19:06:29.542Z","lastSeenAt":"2026-05-18T19:06:29.542Z","tsv":"'1':21 '100/month':617 '2':103 '3':141 'action':48,59,321,712 'activ':787 'advanc':534 'allow':570,577 'alpin':247 'app':462 'appli':56,771 'applic':459 'approv':232,239,245,253,266,571,592,599,605 'approval/versioning/environment':513 'artifact':154,181,195,208,228,272,274,286,339,344,362,563,582,643 'artifacts/repositories':725 'assur':15 'attach':704,780 'base':233,240,246,254,259,482,572,578,610 'block':202,548,613 'bodi':120 'branch':473 'call':107,157 'chain':14,357 'check':150,334,437,514,588,601,612,641,717 'checklist':393 'code':347,466,469 'common':84,172,658 'comparison':447 'complet':75 'complianc':143,151,166,331,337,649,728 'config':489 'connector':494,497 'consult':71,376 'contain':236 'convent':676,758 'cost':454,620 'creat':2,4,6,104,111,137,149,302,314,544,551,564,574,586,685,694,779 'create-polici':1 'critic':203,210,220,223,549,556 'crud':134 'custodi':359 'cve/license':532 'cves':211,550 'databas':515 'ddl':522 'declar':662 'definit':413 'delet':139,304,316 'deni':50,190,205,215,250,281,553,663,759 'deny/allow':442 'deploy':186,201,206,277,291,595,633 'descript':298,625 'determin':25 'devop':516 'disallowpipelineexecutor':603 'distroless':248 'enforc':30,47,178,231,273,320,558,602,689,711,788 'ensur':668 'entiti':32,79,88,95,375,386 'entity-specif':87 'env':423 'environ':40,415,419 'error':742 'etc':43,66 'evalu':323,328,732,739 'exampl':92,427,543 'exceed':616 'except':537 'exempt':542 'expect':682 'explain':766 'featur':41,406,411,623,627 'file':97,367,379,490 'fire':716 'firewal':527,529 'flag':42,407,412,624,628 'fme':408,414,626 'follow':673,755 'found':226 'full':133 'generat':177,560 'get':136,301,313,325,342,351,360 'gitop':458,461,632,638 'govern':8,127,306,308,521 'group':317 'guid':101,382 'handl':538 'har':11,110,160,374,675,757 'harness.artifact':189,214,244,280 'id':117,119,169,171,230 'identifi':22 'imag':234,237,241,256,260,269,573,579 'infra':424 'infrastructur':420 'input':400,683 'input.artifact.base':255,268 'input.artifact.sbom':193 'input.artifact.signed':284 'input.artifact.vulnerabilities':218 'instruct':19 'issu':659 'kube':636 'kube-system':635 'languag':747 'limit':525,769 'list':98,135,161,267,300,312,324,333,341,350,443,580,647,696 'logic':679 'manag':124 'match':722 'mcp':18,108,158 'mental':680 'miss':660 'msg':191,194,216,221,251,257,282,285,666,764 'must':196,287,702,761 'name':82,389,471,672,753 'namespac':639 'namespace/label/revision':464 'naming/type/provider':506 'nest':403 'note':652 'onrun':63 'onsav':64,629 'onstep':65 'opa':7,121,305,552,743 'oper':297 'org':116,168 'output':434 'overrid':484,487 'packag':81,188,213,243,279,388,530,661,671,674,752,756 'paramet':112,162 'pattern':85,174,391,405,444,535 'perform':651 'pipelin':38,394,399,596,607 'plan':453,615,619 'polici':3,5,9,23,28,36,55,62,70,106,115,122,131,147,173,299,307,310,318,322,327,336,365,371,395,409,430,439,465,474,476,485,495,502,509,517,533,546,565,575,587,597,621,630,646,670,678,687,692,700,701,707,720,731,736,740,744,770,781,784 'postur':346,355 'presenc':568 'prevent':631 'product':585,594 'project':118,170,774 'protect':493 'proven':363 'qualiti':392 'refer':96,366,378,541 'references/advanced-patterns.md':536 'references/entity-code-repository.md':468 'references/entity-connector.md':496 'references/entity-database.md':518 'references/entity-feature-flag.md':410 'references/entity-gitops.md':460 'references/entity-override.md':486 'references/entity-pipeline.md':398 'references/entity-sbom.md':440 'references/entity-secret.md':503 'references/entity-security-tests.md':431 'references/entity-service-env-infra.md':421 'references/entity-template.md':510 'references/entity-terraform.md':451 'references/entity-upstream-firewall.md':528 'references/entity-variable.md':477 'references/rego-writing-guide.md':72,385 'rego':69,76,187,212,242,278,364,370,380,390,654,746 'relat':292 'repo':348,470 'repositori':156,353,467 'requir':24,175,270,566,581,591,622 'resourc':113,129,163,293,295,698 'restrict':235,483,500,507,523,640 'result':144,167,329,332,650,729 'return':667,762 'role':481 'role-bas':480 'rule':78,384,554,664,760 'sbom':176,184,199,438,441,559,567 'schema':90,397,401,417,425,435,457,463,479,488,498,505,512,531 'scope':52,540,721,775 'scs':16,165,330,335,356,648,727 'secret':501,504 'secur':340,345,349,354,428,432 'see':93 'segment':416 'semver':446 'servic':39,418,422 'set':311,708,785 'sever':557 'severity/coverage':436 'sign':271,275,289,583 'signatur':589 'skill' 'skill-create-policy' 'softwar':12 'source-harness' 'specif':89 'sprintf':222,258 'sql':519 'stage':600 'state':455 'statement':520 'status':152,338,590 'step':20,102,140,606,611 'step/stage':402 'string':765 'submit':657,751 'success':695 'suppli':13 'support':132 'syntax':655,741,749 'system':637 'target':37,724 'templat':508,511 'terraform':448,452,614,618 'test':429,433,677 'tool':109,159 'toolset':128,309 'topic-agent-skills' 'topic-agents' 'transact':524 'trigger':60 'troubleshoot':686 'type':33,80,114,130,164,294,296,387,699 'type/auth/naming':499 'ubuntu':249 'updat':138,303,315 'upstream':526 'use':726,745 'valid':653,748 'variabl':475,478,492 'verifi':142,361,690,734 'via':17,697 'view':326,343,352 'violat':644,768 'visibl':472 'vuln':217 'vuln.cve':229 'vuln.severity':219 'vulner':204,224 'walk':404,539,609 'walk-bas':608 'warn':49 'warn/deny':713 'within':772 'without':665 'workspac':450,456 'write':68,77,369,381","prices":[{"id":"9768eb31-0e96-46e1-b943-e82cf67af703","listingId":"b7b46460-b596-4fba-95ad-13171d04dab6","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"harness","category":"harness-skills","install_from":"skills.sh"},"createdAt":"2026-05-09T01:05:28.194Z"}],"sources":[{"listingId":"b7b46460-b596-4fba-95ad-13171d04dab6","source":"github","sourceId":"harness/harness-skills/create-policy","sourceUrl":"https://github.com/harness/harness-skills/tree/main/skills/create-policy","isPrimary":false,"firstSeenAt":"2026-05-09T01:05:28.194Z","lastSeenAt":"2026-05-18T19:06:29.542Z"}],"details":{"listingId":"b7b46460-b596-4fba-95ad-13171d04dab6","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"harness","slug":"create-policy","github":{"repo":"harness/harness-skills","stars":15,"topics":["agent-skills","agents"],"license":"apache-2.0","html_url":"https://github.com/harness/harness-skills","pushed_at":"2026-05-13T01:28:28Z","description":"A collection of structured AI agent skills that   enable Claude Code, Cursor, GitHub Copilot, and   other AI coding assistants to create, operate,   debug, and govern Harness CI/CD workflows through   natural language.","skill_md_sha":"59a06d9c6c6bd3b13d9ebeac7a059d70e121d511","skill_md_path":"skills/create-policy/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/harness/harness-skills/tree/main/skills/create-policy"},"layout":"multi","source":"github","category":"harness-skills","frontmatter":{"name":"create-policy","license":"Apache-2.0","description":">-","compatibility":"Requires Harness MCP v2 server (harness-mcp-v2)"},"skills_sh_url":"https://skills.sh/harness/harness-skills/create-policy"},"updatedAt":"2026-05-18T19:06:29.542Z"}}