Skip to content

Input Selectors


Sometimes you might want to limit a certain policy to only be run on certain resources. This can be achieved with input selectors.

Use case

For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned. In such a case you could utilize input selectors to limit its evaluation on only those resources.


    # title: "RDS Publicly Accessible"
    # description: "Ensures RDS instances are not launched into the public cloud."
    # custom:
    #   input:
    #     selector:
    #     - type: cloud
    #       subtypes:
    #         - provider: aws
    #           service: rds

    deny[res] {
    instance :=[_]
    res :="Instance has Public Access enabled", instance.publicaccess)

Observe the following subtypes defined:

        #       subtypes:
        #         - provider: aws
        #           service: rds

They will ensure that the policy is only run when the input to such a policy contains an RDS instance.

Enabling selectors and subtypes

Currently, the following are supported:

Selector Subtype fields required Example
Cloud (AWS, Azure, etc.) provider, service provider: aws, service: rds
Kubernetes type: kubernetes
Dockerfile type: dockerfile

Default behaviour

If no subtypes or selectors are specified, the policy will be evaluated regardless of input.