CEL Policies¶
PolicyMesh evaluates CEL rules against every node in the live graph, in-memory, at scan time. Drop a rule in ~/.cloudslash/policies/ and it is live without a restart.
The Policy Schema¶
Policies are declared in YAML files. Each rule defines a CEL condition that evaluates against node attributes in the Devi graph.
rules:
- id: block-expensive-instances
condition: "cost > 500.0"
action: block
message: "Resources costing over $500/mo require VP approval"
enforcement_mode: enforcing
target_kinds:
- "ec2:instance"
- "compute:instance"
- "compute:vm"
- id: require-env-tag
condition: "!('env' in tags)"
action: warn
message: "Missing 'env' tag: SOC2 compliance requires environment tagging"
enforcement_mode: shadow
- id: ban-gp2-volumes
condition: "kind == 'ebs:volume' && props.VolumeType == 'gp2'"
action: violation
message: "gp3 is 20% cheaper with decoupled IOPS. Migrate immediately."
enforcement_mode: enforcing
- id: detect-public-s3
condition: "kind == 's3:bucket' && props.public_access == true"
action: block
message: "Public S3 bucket detected: data exposure risk"
enforcement_mode: enforcing
CEL Expression Variables¶
These variables are computed by the engine pipeline and projected into the CEL evaluation context.
| Variable | Type | Source | Description |
|---|---|---|---|
cost |
float64 |
Devi | Monthly cost in USD |
kind |
string |
Graph | Resource type (e.g., ec2:instance) |
provider |
string |
Graph | Cloud provider (aws, gcp, azure) |
region |
string |
Graph | Cloud region |
tags |
map[string]str |
Graph | Resource tags |
props |
map[string]any |
Graph | All resource properties |
is_waste |
bool |
Heuristics | Engine waste determination |
risk_score |
float64 |
Oracle | Formal verification risk score (0-100) |
reachability |
string |
Oracle | Network reachability state |
phase |
string |
s.a.u | Remediation phase (flagged, quarantined, purged) |
Enforcement Modes¶
| Mode | Behavior |
|---|---|
enforcing |
Actively blocks s.a.u remediation and flags violations |
shadow |
Logs violations without blocking: used for testing |
Loading Policies¶
Via CLI Flag¶
cs scan --rules policies.yaml --fail-on=critical --region us-east-1
cs daemon --rules policies.yaml --region us-east-1
Via Configuration¶
The daemon loads rules from ~/.cloudslash/policies/<bundle-name>/rules.yaml.
Via REST API¶
# Add rules dynamically to a running daemon
curl -X POST http://localhost:8080/api/v1/policies \
-H "Content-Type: application/json" \
-d '{
"rules": [{
"id": "block-public-rds",
"condition": "kind == \"rds:instance\" && props.PubliclyAccessible == true",
"action": "block",
"message": "Public RDS endpoint detected"
}]
}'
# Toggle enforcement mode
curl -X POST http://localhost:8080/api/v1/policies/toggle \
-d '{"rule_id": "block-public-rds"}'
# Dry-run evaluation without persistence
curl -X POST http://localhost:8080/api/v1/policies/dry-run \
-d '{"condition": "cost > 1000 && provider == \"aws\""}'
Policy Evaluation¶
In CI/CD
Combine policy rules with the scan gate to enforce compliance in pull request pipelines:
The scan exits with code 1 if any rule in soc2-compliance.yaml produces a warning or higher severity finding against the live infrastructure graph.