Policy and risk preflight
Policy/risk preflight scans Automax YAML before runtime validation and release checks. It catches risky patterns that should be reviewed before a job is run or published.
Run the default examples scan:
scripts/policy-risk-preflight.sh
Scan specific paths:
scripts/policy-risk-preflight.sh \
--path jobs \
--path environments/prod \
--fail-on medium
Write a JSON report:
scripts/policy-risk-preflight.sh \
--path examples \
--format json \
--output dist/policy-risk-preflight.json
The script ignores *.local.yaml and *.local.yml files by default. Those files
are operator-local inputs and may contain real secrets on a workstation or lab
host.
Built-in checks
The built-in checks report:
- inline secret-looking scalar values such as passwords, tokens and private keys;
- insecure flags such as
insecure: trueortls_verify: false; shell: truefor command execution;- destructive plugin operations without
confirm: true; - unpinned container images or images using
latest; - Helm
setentries that appear to carry secret values; - commands that download content and pipe it into a shell.
Findings have high, medium or low severity. Accepted findings are reported
but do not fail the run.
Accepting an intentional finding
Use risk_accepted: true close to the YAML block that intentionally violates a
rule:
- id: lab_shell
risk_accepted: true
use: command.local.run
with:
shell: true
command: "printf controlled-lab-only"
Acceptance should stay local and explicit. Do not use it at a broad file or task level unless the entire block has been reviewed.
Release gate
The release check runs:
scripts/policy-risk-preflight.sh --path examples --fail-on high
This keeps committed examples and runtime pack inputs free from unaccepted high risk patterns.