Skip to content

Policy and risk preflight

Policy/risk preflight scans Automax YAML before runtime validation and release checks. It catches risky patterns that should be reviewed before a job is run or published.

Run the default examples scan:

scripts/policy-risk-preflight.sh

Scan specific paths:

scripts/policy-risk-preflight.sh \
  --path jobs \
  --path environments/prod \
  --fail-on medium

Write a JSON report:

scripts/policy-risk-preflight.sh \
  --path examples \
  --format json \
  --output dist/policy-risk-preflight.json

The script ignores *.local.yaml and *.local.yml files by default. Those files are operator-local inputs and may contain real secrets on a workstation or lab host.

Built-in checks

The built-in checks report:

  • inline secret-looking scalar values such as passwords, tokens and private keys;
  • insecure flags such as insecure: true or tls_verify: false;
  • shell: true for command execution;
  • destructive plugin operations without confirm: true;
  • unpinned container images or images using latest;
  • Helm set entries that appear to carry secret values;
  • commands that download content and pipe it into a shell.

Findings have high, medium or low severity. Accepted findings are reported but do not fail the run.

Accepting an intentional finding

Use risk_accepted: true close to the YAML block that intentionally violates a rule:

- id: lab_shell
  risk_accepted: true
  use: command.local.run
  with:
    shell: true
    command: "printf controlled-lab-only"

Acceptance should stay local and explicit. Do not use it at a broad file or task level unless the entire block has been reviewed.

Release gate

The release check runs:

scripts/policy-risk-preflight.sh --path examples --fail-on high

This keeps committed examples and runtime pack inputs free from unaccepted high risk patterns.