Policies

lstn is a command-line tool that provides behavioural insights for packages. With the help of lstn, developers can ensure that their packages are secure before deploying them to production. In this guide, we will cover how to visualize and define policy-based rules based on the output of lstn commands.

The output of verdicts can be used to build programmatic rule-based policies to enforce based on the output of formats. A classic use case for this is to automation in CI/CD pipelines.

For a list of useful jq expressions that can be used to define policies, see the section on customizing-output.md

Defining policies using jq expressions

Below are examples of how to define rule-based policies to enforce based on the output of lstn commands:

Halt with error(1) if a priority level is critical

The below example would output only the critical verdicts and exit with status 1

./lstn in <project-directory> --json | -q -c '.[] | select(.verdicts[].priority == "critical") | halt_error(1)'

This allows users can invoke certain actions upon receiving this status code, such as stopping a build from proceeding in case a risky dependency is detected.

WIP

lstn.yaml Integration Guides