harness · KinnonYee-harness · Jan 15, 2025
@@ -24,6 +24,8 @@ This topic provides sample policies you can use in policy steps and on pipeline-
 <!-- https://ecotrust-canada.github.io/markdown-toc/ -->
 
 - [Policy samples](#policy-samples)
+	- [Root policy samples](#root-policy-samples)
+		- [Evaluate secrets in pipeline and only allow secrets that are at the account level](#evaluate-secrets-in-pipeline-and-only-allow-secrets-that-are-at-the-account-level)
 	- [Connector policy samples](#connector-policy-samples)
 		- [Enforce authorization type while configuring a Kubernetes connector](#enforce-authorization-type-while-configuring-a-kubernetes-connector)
 		- [Enforce access control for a specific connector at runtime while configuring the pipeline](#enforce-access-control-for-a-specific-connector-at-runtime-while-configuring-the-pipeline)
@@ -64,6 +66,29 @@ This topic provides sample policies you can use in policy steps and on pipeline-
 
 ## Policy samples
 
+### Root policy samples
+* [Evaluate secrets in pipeline and only allow secrets that are at the account level](#evaluate-secrets-in-pipeline-and-only-allow-secrets-that-are-at-the-account-level)
+#### Evaluate secrets in pipeline and only allow secrets that are at the account level
+This rule is set in place to ensure the pipeline yaml does not include secrets at the project level, but will allow secrets at the account level.  
+
+```json
+package policy
+
+# Rule to check if any value in the input contains the secret substring
+has_secret_value {
+    walk(input, [_, value])
+    is_string(value)
+    contains(value, "<+secrets.getValue")
+    not contains(value,"<+secrets.getValue(\"account.")
+}
+
+# Main denial rule
+deny[msg] {
+    has_secret_value
+    msg := "Found potentially sensitive value containing 'secret.getValues' in the input"
+}
+```
+
 ### Connector policy samples
 
 * [Enforce authorization type while configuring a Kubernetes connector](#enforce-authorization-type-while-configuring-a-kubernetes-connector)