ec validate input

Validate arbitrary JSON or yaml file input conformance with the provided policies

Synopsis

Validate conformance of arbitrary JSON or yaml file input with the provided policies

For each file, validation is performed to determine if the file conforms to rego policies defined in the EnterpriseContractPolicy.

Input files can be specified as positional arguments or via the --file flag (deprecated). If both are provided, the values are combined.

When --server is provided, a persistent HTTP server is started instead of running a one-shot evaluation. Policies are loaded once at startup. The server exposes the following endpoints:

POST /v1/validate/input  - Evaluate input (JSON or YAML body)
GET  /live               - Liveness probe (always 200)
GET  /ready              - Readiness probe (200 when policies are loaded)

The evaluation endpoint returns the same JSON structure as --output json. HTTP 200 is returned for all completed evaluations (the "success" field distinguishes pass/fail). Restart the server to pick up policy changes.

Error responses use HTTP 400 (bad request), 413 (body too large), or 500 (internal error) with a JSON body: {"error":"<message>","status":<code>}.

Server limits: request body max 80MB, evaluation timeout 90s.

ec validate input [file ...] [flags]

Examples

Validate a single file using positional arguments ec validate input /path/to/file.json --policy my-policy.yaml

Validate multiple files using positional arguments ec validate input /path/to/file.yaml /path/to/file2.yaml --policy my-policy.yaml

Validate all YAML files in a directory using shell glob expansion ec validate input *.yaml --policy my-policy.yaml

Use the deprecated --file flag (still functional, multiple forms supported) ec validate input --file /path/to/file.json --policy my-policy.yaml ec validate input --file /path/to/file.yaml --file /path/to/file2.yaml --policy my-policy.yaml ec validate input --file="/path/to/file.json,/path/to/file2.json" --policy my-policy.yaml

Use a git url for the policy configuration. In the first example there should be a '.ec/policy.yaml' or a 'policy.yaml' inside a directory called 'default' in the top level of the git repo. In the second example there should be a '.ec/policy.yaml' or a 'policy.yaml' file in the top level of the git repo. For git repos not hosted on 'github.com' or 'gitlab.com', prefix the url with 'git::'. For the policy configuration files you can use json instead of yaml if you prefer.

ec validate input /path/to/file.json --policy github.com/user/repo//default?ref=main
ec validate input /path/to/file.yaml --policy github.com/user/repo

Start a persistent HTTP server for policy evaluation over REST:

ec validate input --server --policy my-policy.yaml

Send a request to the evaluation endpoint:

curl -s -X POST -H 'Content-Type: application/json' --data-binary @input.json http://localhost:8080/v1/validate/input
curl -s -X POST -H 'Content-Type: application/yaml' --data-binary @input.yaml http://localhost:8080/v1/validate/input

Start the server on a custom port:

ec validate input --server --server-port 9090 --policy my-policy.yaml

Options

--color

Enable color when using text output even when the current terminal does not support it (Default: false)

--effective-time

Run policy checks with the provided time. Useful for testing rules with effective dates in the future. The value can be "now" (default) - for current time, or a RFC3339 formatted value, e.g. 2022-11-18T00:00:00Z. (Default: now)

-f, --file

DEPRECATED: use positional arguments instead. Path to input YAML/JSON file (Default: [])

-h, --help

help for input (Default: false)

--info

Include additional information on the failures. For instance for policy violations, include the title and the description of the failed policy rule. (Default: false)

--no-color

Disable color when using text output even when the current terminal supports it (Default: false)

-o, --output

Write output to a file in a specific format, e.g. yaml=/tmp/output.yaml. Use empty string path for stdout, e.g. yaml. May be used multiple times. Possible formats are: json, yaml, text, summary. In following format and file path additional options can be provided in key=value form following the question mark (?) sign, for example: --output text=output.txt?show-successes=false (Default: [])

-p, --policy

Policy configuration as:

  • file (policy.yaml)

  • git reference (github.com/user/repo//default?ref=main), or

  • inline JSON ('{sources: {…​}}')")

--server

Start a persistent HTTP server instead of running a one-shot evaluation. Mutually exclusive with input files. Policies are loaded once at startup. Note: the server has no built-in authentication or rate limiting. Use a reverse proxy or network policy to restrict access in production. (Default: false)

--server-address

Address for the HTTP server to bind to when running in server mode. Defaults to 127.0.0.1 (localhost only). Set to 0.0.0.0 to listen on all interfaces. (Default: 127.0.0.1)

--server-port

Port for the HTTP server when running in server mode. (Default: 8080)

-s, --strict

Return non-zero status on non-successful validation (Default: true)

--workers

Number of workers to use for validation. Defaults to 5. (Default: 5)

Options inherited from parent commands

--debug

same as verbose but also show function names and line numbers (Default: false)

--kubeconfig

path to the Kubernetes config file to use

--logfile

file to write the logging output. If not specified logging output will be written to stderr

--quiet

less verbose output (Default: false)

--retry-duration

base duration for exponential backoff calculation (Default: 1s)

--retry-factor

exponential backoff multiplier (Default: 2)

--retry-jitter

randomness factor for backoff calculation (0.0-1.0) (Default: 0.1)

--retry-max-retry

maximum number of retry attempts (Default: 3)

--retry-max-wait

maximum wait time between retries (Default: 3s)

--show-policy-docs-link

Show link to policy documentation in output when there are violations or warnings (Default: false)

--show-successes

(Default: false)

--show-warnings

(Default: true)

--timeout

max overall execution duration (Default: 5m0s)

--trace

enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)

--verbose

more verbose output (Default: false)