OCI Policy Packs¶
Publish and consume policy bundles from OCI-compliant registries (GitLab Container Registry, GHCR, ACR, ECR), similar to Conftest sharing.
Publish¶
docker login registry.example.com
gitlab-compliance policies push -f policies/
registry.example.com/org/gitlab-ci-policies:1.0.0
Pull and run¶
gitlab-compliance policies pull
oci://registry.example.com/org/gitlab-ci-policies:1.0.0 -o policies/
gitlab-compliance check -f
oci://registry.example.com/org/gitlab-ci-policies:1.0.0 -p .gitlab-ci.yml
gitlab-compliance check -f
oci://registry.example.com/org/gitlab-ci-policies:1.0.0 -p .gitlab-ci.yml
--update
Bundles use media type
application/vnd.gitlab-compliance.policy.bundle.v1+tar+gzip.
Policy catalog¶
Index policies with Policy Metadata:
gitlab-compliance policies doc -f policies/ -o COMPLIANCE-POLICIES.md
Consume in GitLab CI¶
Pull the latest bundle on every pipeline run:
include:
- local: example-ci/compliance-jobs.yml
compliance:
extends: .compliance:oci
Override the registry reference:
compliance:
extends: .compliance:oci
variables:
COMPLIANCE_OCI: oci://registry.example.com/my-group/gitlab-ci-policies:2.0.0
Authenticate to the registry in before_script when using a private registry:
compliance:
extends: .compliance:oci
before_script:
- echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER"
--password-stdin $CI_REGISTRY
- pip install --quiet gitlab-compliance
Run locally¶
gitlab-compliance check -f
oci://registry.example.com/org/gitlab-ci-policies:1.0.0 \
-p .gitlab-ci.yml --update
Back to Examples.