ec validate input
Validate arbitrary JSON or yaml file input conformance with the provided policies
Synopsis
Validate conformance of arbitrary JSON or yaml file input with the provided policies
For each file, validation is performed to determine if the file conforms to rego policies defined in the EnterpriseContractPolicy.
Input files can be specified as positional arguments or via the --file flag (deprecated). If both are provided, the values are combined.
When --server is provided, a persistent HTTP server is started instead of running a one-shot evaluation. Policies are loaded once at startup. The server exposes the following endpoints:
POST /v1/validate/input - Evaluate input (JSON or YAML body) GET /live - Liveness probe (always 200) GET /ready - Readiness probe (200 when policies are loaded)
The evaluation endpoint returns the same JSON structure as --output json. HTTP 200 is returned for all completed evaluations (the "success" field distinguishes pass/fail). Restart the server to pick up policy changes.
Error responses use HTTP 400 (bad request), 413 (body too large), or 500 (internal error) with a JSON body: {"error":"<message>","status":<code>}.
Server limits: request body max 80MB, evaluation timeout 90s.
ec validate input [file ...] [flags]
Examples
Validate a single file using positional arguments ec validate input /path/to/file.json --policy my-policy.yaml
Validate multiple files using positional arguments ec validate input /path/to/file.yaml /path/to/file2.yaml --policy my-policy.yaml
Validate all YAML files in a directory using shell glob expansion ec validate input *.yaml --policy my-policy.yaml
Use the deprecated --file flag (still functional, multiple forms supported) ec validate input --file /path/to/file.json --policy my-policy.yaml ec validate input --file /path/to/file.yaml --file /path/to/file2.yaml --policy my-policy.yaml ec validate input --file="/path/to/file.json,/path/to/file2.json" --policy my-policy.yaml
Use a git url for the policy configuration. In the first example there should be a '.ec/policy.yaml' or a 'policy.yaml' inside a directory called 'default' in the top level of the git repo. In the second example there should be a '.ec/policy.yaml' or a 'policy.yaml' file in the top level of the git repo. For git repos not hosted on 'github.com' or 'gitlab.com', prefix the url with 'git::'. For the policy configuration files you can use json instead of yaml if you prefer.
ec validate input /path/to/file.json --policy github.com/user/repo//default?ref=main
ec validate input /path/to/file.yaml --policy github.com/user/repo
Start a persistent HTTP server for policy evaluation over REST:
ec validate input --server --policy my-policy.yaml
Send a request to the evaluation endpoint:
curl -s -X POST -H 'Content-Type: application/json' --data-binary @input.json http://localhost:8080/v1/validate/input
curl -s -X POST -H 'Content-Type: application/yaml' --data-binary @input.yaml http://localhost:8080/v1/validate/input
Start the server on a custom port:
ec validate input --server --server-port 9090 --policy my-policy.yaml
Options
- --color
-
Enable color when using text output even when the current terminal does not support it (Default: false)
- --effective-time
-
Run policy checks with the provided time. Useful for testing rules with effective dates in the future. The value can be "now" (default) - for current time, or a RFC3339 formatted value, e.g. 2022-11-18T00:00:00Z. (Default: now)
- -f, --file
-
DEPRECATED: use positional arguments instead. Path to input YAML/JSON file (Default: [])
- -h, --help
-
help for input (Default: false)
- --info
-
Include additional information on the failures. For instance for policy violations, include the title and the description of the failed policy rule. (Default: false)
- --no-color
-
Disable color when using text output even when the current terminal supports it (Default: false)
- -o, --output
-
Write output to a file in a specific format, e.g. yaml=/tmp/output.yaml. Use empty string path for stdout, e.g. yaml. May be used multiple times. Possible formats are: json, yaml, text, summary. In following format and file path additional options can be provided in key=value form following the question mark (?) sign, for example: --output text=output.txt?show-successes=false (Default: [])
- -p, --policy
-
Policy configuration as:
-
file (policy.yaml)
-
git reference (github.com/user/repo//default?ref=main), or
-
inline JSON ('{sources: {…}}')")
-
- --server
-
Start a persistent HTTP server instead of running a one-shot evaluation. Mutually exclusive with input files. Policies are loaded once at startup. Note: the server has no built-in authentication or rate limiting. Use a reverse proxy or network policy to restrict access in production. (Default: false)
- --server-address
-
Address for the HTTP server to bind to when running in server mode. Defaults to 127.0.0.1 (localhost only). Set to 0.0.0.0 to listen on all interfaces. (Default: 127.0.0.1)
- --server-port
-
Port for the HTTP server when running in server mode. (Default: 8080)
- -s, --strict
-
Return non-zero status on non-successful validation (Default: true)
- --workers
-
Number of workers to use for validation. Defaults to 5. (Default: 5)
Options inherited from parent commands
- --debug
-
same as verbose but also show function names and line numbers (Default: false)
- --kubeconfig
-
path to the Kubernetes config file to use
- --logfile
-
file to write the logging output. If not specified logging output will be written to stderr
- --quiet
-
less verbose output (Default: false)
- --retry-duration
-
base duration for exponential backoff calculation (Default: 1s)
- --retry-factor
-
exponential backoff multiplier (Default: 2)
- --retry-jitter
-
randomness factor for backoff calculation (0.0-1.0) (Default: 0.1)
- --retry-max-retry
-
maximum number of retry attempts (Default: 3)
- --retry-max-wait
-
maximum wait time between retries (Default: 3s)
- --show-policy-docs-link
-
Show link to policy documentation in output when there are violations or warnings (Default: false)
- --show-successes
-
(Default: false)
- --show-warnings
-
(Default: true)
- --timeout
-
max overall execution duration (Default: 5m0s)
- --trace
-
enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)
- --verbose
-
more verbose output (Default: false)