Sentinel
Command: apply
The sentinel apply
command is used to execute a policy locally for development
purposes.
Usage
Usage: sentinel apply [options] POLICY
This command executes the policy file at the path specified by POLICY. In addition to a path to a policy, POLICY can reference a label of a policy entry in the configuration.
Use the exit code of this command to determine the exact status of the policy
evaluation. 0
is pass, 1
is fail, 2
is undefined (fail, but because the
result was undefined), and 3
is a runtime error. Errors unrelated to the
policy status itself are returned with an exit status of 9
.
To control the behavior of the apply
command, create a configuration
file. With this, you can define available
import plugins, mock data, and global values.
This can help you simulate a policy embedded within an application.
As of the 0.16 release, POLICY is optional. When it is not supplied,
sentinel apply
will run all policies in the supplied configuration.
The command-line flags are all optional. The list of available flags are:
-color
- Enable or disable colorized output. Enabled by default if running interactively.-config=path
- Path to a configuration file specifying available imports, mock data, globals, etc. The default issentinel.[hcl|json]
.-json
Enable JSON output. Using this mode, all other output will be suppressed and the full detail of the apply will be output in a machine-readable format. Enabling this implies-trace
. See the section on tracing JSON output for more details.-json-rule=RULE
Enable JSON output, outputting only the value of the specified rule. When running against a policy set, the policy must be supplied to enable per-rule filtering. Implies-json
.-global key=value
- Set global values. This is the same as settingglobal
in the configuration file, and will override any of these respective values set in the configuration. The value is either a string, or a JSON number, array, or object. To force strings, use quotes.-param key=value
- Set parameters, the same as settingparam
in the configuration file. Values are handled in the same way they are with the-global
flag.-timeout
- Allows users to specify a timeout after which the apply command will stop running. There is no timeout if not provided. The timeout needs to be specified as a Duration type, eg100ms, 5s etc
-trace
- Always show the execution trace. This shows intermediate boolean expression values. This always shows for failed policies.