-
As another step towards drastically improving the performance of policy evaluations with Open Policy Agent, we can provide the capability to pre-filter the data that is collected by DMD, before evaluating it. For instance, in the case that we know we only want to check against a subset of Docker images which have a specific namespace, we can: - create an Rego rule that filters for this - add a DMD filter directive that pre-filters the data for this This way, we can make sure that we only fetch the data we need, while still having control inside the policy around what should match. Filters are applied with an `AND` across each field being filtered on, and an `OR` for any possible values. We also allow wildcards with `*`, which are mapped to an SQL `%`. For now, we only support the `filter` directive, and the filtering on the `package_name` and `package_type`. Note that we use the `package_type` not `package_manager` as a step towards #446. As an extension of #603.
f110e8fcAs another step towards drastically improving the performance of policy evaluations with Open Policy Agent, we can provide the capability to pre-filter the data that is collected by DMD, before evaluating it. For instance, in the case that we know we only want to check against a subset of Docker images which have a specific namespace, we can: - create an Rego rule that filters for this - add a DMD filter directive that pre-filters the data for this This way, we can make sure that we only fetch the data we need, while still having control inside the policy around what should match. Filters are applied with an `AND` across each field being filtered on, and an `OR` for any possible values. We also allow wildcards with `*`, which are mapped to an SQL `%`. For now, we only support the `filter` directive, and the filtering on the `package_name` and `package_type`. Note that we use the `package_type` not `package_manager` as a step towards #446. As an extension of #603.
Loading