Create Policy

Create OPA governance policies for Harness Software Supply Chain Assurance (SCS) via MCP.

Instructions

Step 1: Identify Policy Requirements

Determine what the policy should enforce:

• What entity type is the policy targeting? (pipeline, service, environment, feature flag, etc.)
• What is the enforcement action (warn, deny)?
• What scope should the policy apply to?
• What action triggers the policy? (onrun, onsave, onstep, etc.)

For writing Rego policies, consult references/rego-writing-guide.md for the complete Rego writing rules, entity types, package names, and common patterns. For entity-specific schemas and examples, see the entity reference files listed in that guide.

Step 2: Create the Policy

Call MCP tool: harness_create
Parameters:
  resource_type: "policy"
  org_id: "<organization>"
  project_id: "<project>"
  body: <policy definition>

OPA policies are managed under the governance toolset — resource_type: "policy" supports full CRUD (list, get, create, update, delete).

Step 3: Verify Compliance Results

After a policy is created, check compliance status on artifacts or repositories:

Call MCP tool: harness_list
Parameters:
  resource_type: "scs_compliance_result"
  org_id: "<organization>"
  project_id: "<project>"

Common Policy Patterns

Require SBOM Generation

Enforce that all artifacts have an SBOM before deployment:

package harness.artifact

deny[msg] {
  not input.artifact.sbom
  msg := "Artifact must have an SBOM before deployment"
}

Block Critical Vulnerabilities

Deny deployment of artifacts with critical CVEs:

package harness.artifact

deny[msg] {
  vuln := input.artifact.vulnerabilities[_]
  vuln.severity == "CRITICAL"
  msg := sprintf("Critical vulnerability %s found in artifact", [vuln.cve_id])
}

Enforce Approved Base Images

Restrict container images to approved base images:

package harness.artifact

approved_bases := {"alpine", "distroless", "ubuntu"}

deny[msg] {
  not approved_bases[input.artifact.base_image]
  msg := sprintf("Base image '%s' is not in the approved list", [input.artifact.base_image])
}

Require Signed Artifacts

Enforce artifact signing before deployment:

package harness.artifact

deny[msg] {
  not input.artifact.signed
  msg := "Artifact must be signed before deployment"
}

Related Resource Types

Resource Type	Operations	Description
policy	list, get, create, update, delete	OPA governance policies (governance toolset)
policy_set	list, get, create, update, delete	Group policies with enforcement actions
policy_evaluation	list, get	View policy evaluation results
scs_compliance_result	list	Check SCS policy compliance status
artifact_security	list, get	View artifact security posture
code_repo_security	list, get	View repository security posture
scs_chain_of_custody	get	Verify artifact provenance

Rego Policy Reference Files

For writing Rego policies for any Harness entity, consult these reference files:

• Rego writing guide and rules — Entity types, package names, Rego patterns, quality checklist
• Pipeline policies and schema — Pipeline input schema, step/stage nesting, walk patterns
• Feature Flag / FME policies — Feature flag, definition, FME environment, segment schemas
• Service, Environment, Infrastructure — Service, env, infra schemas and examples
• Security Tests policies — Security test output schema, severity/coverage checks
• SBOM policies — SBOM deny/allow list patterns with semver comparison
• Terraform and Workspace — Terraform plan, cost, state, workspace schemas
• GitOps Application — GitOps app schema, namespace/label/revision policies
• Code Repository — Code repo naming, visibility, branch policies
• Variable policies — Variable schema, role-based restrictions
• Override policies — Override schema, config file and variable protection
• Connector policies — Connector schema, type/auth/naming restrictions
• Secret policies — Secret schema, naming/type/provider restrictions
• Template policies — Template schema, approval/versioning/environment checks
• Database DevOps policies — SQL statement governance, DDL restrictions, transaction limits
• Upstream Firewall — Firewall package schema, CVE/license policies
• Advanced patterns — Exception handling, walk, scoped references, exemptions

Examples

• "Create a policy to block critical CVEs" -- Create OPA deny rule for critical severity
• "Enforce SBOM generation for all artifacts" -- Create policy requiring SBOM presence
• "Only allow approved base images" -- Create policy with allowed base image list
• "Require artifact signing before production" -- Create policy checking signature status
• "Require approval before production deployments" -- Pipeline policy with Approval stage check
• "Enforce disallowPipelineExecutor on approval steps" -- Pipeline walk-based step check
• "Block Terraform plans exceeding $100/month" -- Terraform plan cost policy
• "Require feature flag descriptions" -- FME feature flag onsave policy
• "Prevent GitOps deployments to kube-system" -- GitOps namespace restriction
• "Check which artifacts violate our policies" -- List scs_compliance_result

Performance Notes

• Validate Rego syntax before submitting. Common issues: missing package declaration, deny rules without msg return.
• Ensure the policy package name follows package harness.<domain> convention.
• Test policy logic mentally against expected inputs before creating.

Troubleshooting

Policy Not Enforcing

• Verify the policy was created successfully (list via resource_type: "policy")
• Policies must be attached to a policy_set with an enforcement action (warn/deny) before they fire
• Check that the policy scope matches the target artifacts/repositories
• Use scs_compliance_result or policy_evaluation to verify the policy is being evaluated

Policy Syntax Errors

• OPA policies use Rego language -- validate syntax before submitting
• Package names should follow package harness.<domain> convention
• Deny rules must return a msg string explaining the violation

Limitations

• Policies apply within the project scope where they are created
• Attach policies to a policy_set to activate enforcement