Class: Google::Apis::SecuritycenterV1::CelPolicySpec
- Inherits:
-
Object
- Object
- Google::Apis::SecuritycenterV1::CelPolicySpec
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/securitycenter_v1/classes.rb,
lib/google/apis/securitycenter_v1/representations.rb,
lib/google/apis/securitycenter_v1/representations.rb
Overview
YAML-based rule that uses CEL, which supports the declaration of variables and
a filtering predicate. A vulnerable resource is emitted if the evaluation is
false. Given: 1) the resource types as: - resource_types: "compute.googleapis.
com/Instance" - resource_types: "compute.googleapis.com/Firewall" 2) the CEL
policy spec as: name: bad_instance resource_filters: - name: instance
resource_type: compute.googleapis.com/Instance filter: > instance.status == '
RUNNING' && 'public' in instance.tags.items - name: firewall resource_type:
compute.googleapis.com/Firewall filter: > firewall.direction == 'INGRESS' && !
firewall.disabled && firewall.allowed.exists(rule, rule.IPProtocol.upperAscii()
in ['TCP', 'ALL'] && rule.ports.exists(port, network.portsInRange(port, '11-
256'))) rule: match: - predicate: > instance.networkInterfaces.exists(net,
firewall.network == net.network) output: > 'message': 'Compute instance with
publicly accessible ports', 'instance': instance.name Users are able to join
resource types together using the exact format as Kubernetes Validating
Admission policies.
Instance Attribute Summary collapse
-
#spec ⇒ String
The CEL policy to evaluate to produce findings.
Instance Method Summary collapse
-
#initialize(**args) ⇒ CelPolicySpec
constructor
A new instance of CelPolicySpec.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ CelPolicySpec
Returns a new instance of CelPolicySpec.
1228 1229 1230 |
# File 'lib/google/apis/securitycenter_v1/classes.rb', line 1228 def initialize(**args) update!(**args) end |
Instance Attribute Details
#spec ⇒ String
The CEL policy to evaluate to produce findings. A finding is generated when
the policy validation evaluates to false.
Corresponds to the JSON property spec
1226 1227 1228 |
# File 'lib/google/apis/securitycenter_v1/classes.rb', line 1226 def spec @spec end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
1233 1234 1235 |
# File 'lib/google/apis/securitycenter_v1/classes.rb', line 1233 def update!(**args) @spec = args[:spec] if args.key?(:spec) end |