The External Secrets Inc. Audit & Compliance product suite is a premium product. It requires a specific subscription. Contact us for more information.

Password Compliance

This policy example will check if a password is compliant with a set of rules. The policy will be non-compliant if the password does not comply with the rules.

Policy Execution Time

This policy example should be executed on Update events.

Default Deny, Allow Case-by-Case Policy Code

package main
import rego.v1

default allow := false
contains_password(key) if {
  regex.match(`.*password.*`,key)
}

complies_to_policy(val) if {
  # at least 8 characters
  regex.match(`.{8,}`,val)
  # at least one upper case char
  regex.match(`.*[A-Z].*`,val)
  # at least one lower case char
  regex.match(`.*[a-z].*`,val)
  # at least one special char
  regex.match(`.*[*.,!@#%^&*].*`,val)
  # at least one number
  regex.match(`.*[0-9].*`,val)
}

# if no 'passwords' within secret, skip it
allow if {
    # all keys are not passwords
    count({x | input.Data[x]; contains_password(x)}) == 0
}

# if secrets with 'password if they are compliant to policy:
allow if {
  some key, val in input.Data
  contains_password(key)
  complies_to_policy(val)
}