Documentation / Topics / Repositories / OPA policies

OPA policies repositories

OPA policies repositories are expected to be hosted in GitHub, GitLab or Bitbucket repos. When adding your repository to Artifact Hub, the url used must follow the following format:


By default the master branch is used, but it’s possible to specify a different one from the UI.

Please NOTE that the repository URL used when adding the repository to Artifact Hub must NOT contain the git hosting platform specific parts, like tree/branch, just the path to your packages like it would show in the filesystem.

The path to packages provided can contain one or more packages. Each package version must be on a separate folder. You can have multiple policies in a single package, or create a package for each policy, it’s completely up to you. In the same way, you can decide if you want to provide one or multiple versions of your policies packages.

The structure of a repository with multiple packages and versions could look something like this:

$ tree path/to/packages
├── artifacthub-repo.yml
├── package1
│   ├── 1.0.0
│   │   ├──
│   │   ├── artifacthub-pkg.yml
│   │   ├── more
│   │   │   └── policies3.rego
│   │   ├── policies1.rego
│   │   └── policies2.rego
│   └── 2.0.0
│       ├──
│       ├── artifacthub-pkg.yml
│       └── policies1.rego
└── package2
    └── 1.0.0
        ├── artifacthub-pkg.yml
        └── policies1.rego

This structure is flexible, and in some cases where you only have a package and a version it can be greatly simplified. The Deprek8ion policies repository illustrated below, for example, is using a simpler structure.

In the case of a single package with a single version available at a time (the publisher doesn’t want to make previous ones available, for example), the structure could look like this:

$ tree path/to/packages
├── artifacthub-repo.yml
└── package1
    ├── artifacthub-pkg.yml
    ├── policies1.rego
    └── policies2.rego

In the previous case, even the package1 directory could be omitted. The reason is that both packages names and versions are read from the artifacthub-pkg.yml metadata file, so directories names are not used at all.

Each package version needs an artifacthub-pkg.yml metadata file. Please see the file spec for more details. Policies files must have the .rego extension. If you want to exclude some paths in your package from the indexing, you can do it using the ignore field in your package metadata file, which uses .gitignore syntax.

The artifacthub-repo.yml repository metadata file shown above can be used to setup features like Verified publisher or Ownership claim. This file must be located at /path/to/packages.

Once you have added your repository, you are all set up. As you add new versions of your policies or even new policies packages to your git repository, they’ll be automatically indexed and listed in Artifact Hub.

Example repository: Deprek8ion policies