reglet

module
v0.3.0-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 10, 2026 License: Apache-2.0

README

logo-small Reglet

Compliance as Code. Secure by Design.

Reglet is a compliance and infrastructure validation engine that runs security checks in isolated WebAssembly sandboxes. Define policies as code, validate systems and services, and get standardized audit output ready for SOC2, ISO27001, and more.

Build Status Go Report Card License Latest Release

Quick Start

# brew not available for pre-release
brew install reglet-dev/tap/reglet           # macOS/Linux
# Install (choose one)
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha # Docker
curl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | sh  # Script

# Get an example profile
curl -fsSL https://raw.githubusercontent.com/reglet-dev/reglet/main/docs/examples/01-quickstart.yaml > quickstart.yaml

# Run it
reglet check quickstart.yaml

# Or with Docker
docker run --rm -v $(pwd)/quickstart.yaml:/quickstart.yaml \
  ghcr.io/reglet-dev/reglet:v0.2.0-alpha check /quickstart.yaml

demo

Usage

# Output formats
reglet check profile.yaml --format=json
reglet check profile.yaml --format=sarif -o results.sarif

# Quiet mode for CI/scripts
reglet check profile.yaml --quiet

# Debug mode
reglet check profile.yaml --log-level=debug

# Filter controls
reglet check profile.yaml --tags security
reglet check profile.yaml --severity critical,high

Features

  • Declarative Profiles - Define validation rules in simple, versioned YAML
  • Parallel Execution - Optimized for CI/CD with concurrent execution of independent controls
  • Standardized Output - JSON, YAML, JUnit, SARIF - ready for compliance platforms or OSCAL integration (coming soon)
  • Secure Sandbox - All validation logic runs inside a CGO-free WebAssembly runtime (wazero)
  • Capability-Based Security - Plugins can only access files, networks, or environment variables if explicitly allowed
  • Secret Management - Resolve secrets from environment variables, files, or local config with {{ secret "name" }} syntax
  • Automatic Redaction - Sensitive data (secrets, tokens) is automatically detected and redacted before reporting

What Can It Validate?

Plugin Use Case
file Permissions, ownership, content patterns
command Exit codes, output content
http HTTP/HTTPS endpoints, response validation
dns DNS records and resolution
tcp Port connectivity, TLS certificates
smtp Mail server connectivity

See examples/ for working profiles.

Security Model

Reglet uses capability-based security - plugins can only access what's explicitly granted:

  • Automatic Discovery: Permissions are extracted from your profile (e.g., path: /etc/passwd grants read to only that file)
  • No Broad Access: Unlike scripts with full host access, plugins are sandboxed
  • Security Levels: Control how Reglet handles risky patterns:
    • strict - Deny broad capabilities automatically
    • standard - Warn and prompt before granting (default)
    • permissive - Auto-grant for trusted environments
# ~/.reglet/config.yaml
security:
  level: standard  # strict, standard, or permissive

See docs/security.md for the full security architecture.

Secret Management

Reglet supports secure secret resolution via {{ secret "name" }} syntax in profiles:

# ~/.reglet/config.yaml
sensitive_data:
  secrets:
    # Environment variable mapping
    env:
      api_token: API_TOKEN        # {{ secret "api_token" }} resolves from $API_TOKEN
      db_password: DATABASE_PASS

    # File-based secrets (admin-controlled paths)
    files:
      ssh_key: /etc/reglet/secrets/ssh.key

    # Local secrets (development only - never commit!)
    local:
      dev_token: "local-dev-value"

Secrets are automatically:

  • Tracked and redacted from all output (evidence, logs, errors)
  • Protected in memory with zeroing when possible
  • Never logged in plaintext

Example usage in a profile:

controls:
  items:
    - id: api-health
      name: API health check with authentication
      observations:
        - plugin: http
          config:
            url: https://api.example.com/health
            headers:
              Authorization: "Bearer {{ secret \"api_token\" }}"
          expect: |
            data.status_code == 200

Example Profile

profile:
  name: SSH Security
  description: Check SSH configuration
  version: 1.0.0

plugins:
  - file

controls:
  items:
    - id: sshd-config
      name: SSH password authentication disabled
      observations:
        - plugin: file
          config:
            path: /etc/ssh/sshd_config
          expect: |
            data.content.contains("PasswordAuthentication no")

Installation

Homebrew (macOS/Linux)

Note: pre-release is not available via Homebrew

brew install reglet-dev/tap/reglet
reglet version
Docker
# Pull image
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha

# Quick version check
docker run --rm ghcr.io/reglet-dev/reglet:v0.2.0-alpha version

# Run with profile from host
docker run --rm -v $(pwd)/profile.yaml:/profile.yaml \
  ghcr.io/reglet-dev/reglet:latest check /profile.yaml

# Try built-in examples
docker run --rm ghcr.io/reglet-dev/reglet:latest \
  check /home/reglet/docs/examples/01-quickstart.yaml
Install Script (Linux/macOS)
curl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | sh
Manual Download

Download the appropriate archive for your platform from the releases page, extract it, and move the binary to your PATH:

# Linux/macOS
tar -xzf reglet-*.tar.gz
sudo mv reglet /usr/local/bin/
reglet version

# Windows (PowerShell)
Expand-Archive reglet-*.zip
Move-Item reglet.exe C:\Windows\System32\
reglet version
From Source

Requires Go 1.25+:

git clone https://github.com/reglet-dev/reglet.git
cd reglet
make build
./bin/reglet check docs/examples/01-quickstart.yaml
Examples

Status: Alpha (v0.2.0-alpha)

Reglet is in active development. Core features work, but expect breaking changes before 1.0.

Roadmap

v0.2.0-alpha (Current)

  • Core execution engine with parallel execution
  • Plugins: File, HTTP, DNS, TCP, Command, SMTP
  • Capability system with profile-based discovery
  • Configurable security levels (strict/standard/permissive)
  • Automatic secret redaction
  • Output formatters (Table, JSON, YAML, JUnit, SARIF)
  • Binary releases for Linux/macOS/Windows (amd64/arm64)
  • Docker images (GHCR multi-arch)
  • Homebrew tap
  • Automated releases with goreleaser

v0.3.0-alpha (In Development)

  • Profile inheritance (extends: field)
  • Lockfile for reproducible plugin versions (reglet.lock)
  • Retry and backoff for resilient execution
  • Secret management (env/files/local resolution)
  • Evidence artifacts and size limits (size, count)
  • Global timeout

v0.4.0-alpha

  • Tag and severity filtering

v0.5.0-alpha

  • OCI-based plugin registry (version pinning, aliases)

v0.6.0-alpha

  • OSCAL output

v1.0

  • Cloud provider plugins (AWS, GCP, Azure)
  • Compliance packs (SOC2, ISO27001, FedRAMP)
  • CI/CD integrations (GitHub Actions, GitLab CI)
  • Plugin SDK documentation

Community

We welcome contributions! Please see our Contributing Guide and Code of Conduct.

License

Apache-2.0 - See LICENSE

Directories

Path Synopsis
cmd
reglet command
Package main provides the reglet CLI for compliance and infrastructure validation.
 Package main provides the reglet CLI for compliance and infrastructure validation.
internal
application/dto
Package dto contains data transfer objects for application layer use cases.
 Package dto contains data transfer objects for application layer use cases.
application/errors
Package apperrors defines application-level error types.
 Package apperrors defines application-level error types.
application/ports
Package ports defines interfaces for infrastructure dependencies.
 Package ports defines interfaces for infrastructure dependencies.
application/services
Package services contains application use cases.
 Package services contains application use cases.
domain/capabilities
Package capabilities defines domain types for capability management.
 Package capabilities defines domain types for capability management.
domain/entities
Package entities contains domain entities for the Reglet domain model.
 Package entities contains domain entities for the Reglet domain model.
domain/execution
Package execution provides domain models for execution results.
 Package execution provides domain models for execution results.
domain/repositories
Package repositories defines interfaces for domain persistence.
 Package repositories defines interfaces for domain persistence.
domain/services
Package services contains domain services for the Reglet domain model.
 Package services contains domain services for the Reglet domain model.
domain/values
Package values contains domain value objects that encapsulate primitive types with validation and such.
 Package values contains domain value objects that encapsulate primitive types with validation and such.
infrastructure/adapters
Package adapters provides infrastructure adapters that implement application ports.
 Package adapters provides infrastructure adapters that implement application ports.
infrastructure/build
Package build provides build version information for Reglet.
 Package build provides build version information for Reglet.
infrastructure/capabilities
Package capabilities provides capabilities for the wasm plugins
 Package capabilities provides capabilities for the wasm plugins
infrastructure/config
Package config provides infrastructure for loading profile configurations.
 Package config provides infrastructure for loading profile configurations.
infrastructure/container
Package container provides dependency injection for the application.
 Package container provides dependency injection for the application.
infrastructure/engine
Package engine coordinates profile execution and validation.
 Package engine coordinates profile execution and validation.
infrastructure/filesystem
Package filesystem provides file-based repositories for the infrastructure layer.
 Package filesystem provides file-based repositories for the infrastructure layer.
infrastructure/output
Package output holds various output options
 Package output holds various output options
infrastructure/persistence/memory
Package memory provides in-memory implementations of domain repositories.
 Package memory provides in-memory implementations of domain repositories.
infrastructure/plugins
Package plugins provides infrastructure implementations for plugin capabilities.
 Package plugins provides infrastructure implementations for plugin capabilities.
infrastructure/secrets
Package secrets deals with resolving sensitive values from external sources like environment variables and files.
 Package secrets deals with resolving sensitive values from external sources like environment variables and files.
infrastructure/sensitivedata
Package sensitivedata provides tools for managing and protecting sensitive information such as secrets, passwords, and tokens.
 Package sensitivedata provides tools for managing and protecting sensitive information such as secrets, passwords, and tokens.
infrastructure/system
Package system provides infrastructure for system-level configuration.
 Package system provides infrastructure for system-level configuration.
infrastructure/validation
Package validation provides infrastructure for validating profile configurations.
 Package validation provides infrastructure for validating profile configurations.
infrastructure/wasm
Package wasm provides WebAssembly runtime infrastructure for Reglet plugins.
 Package wasm provides WebAssembly runtime infrastructure for Reglet plugins.
infrastructure/wasm/hostfuncs
Package hostfuncs provides host functions for WASM plugins
 Package hostfuncs provides host functions for WASM plugins
templates
Package templates provides embedded templates for plugin scaffolding.
 Package templates provides embedded templates for plugin scaffolding.
wireformat module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.