From 7916aafffbc58925ed130a05aa5ecd2cffdc0313 Mon Sep 17 00:00:00 2001
From: simar7 <1254783+simar7@users.noreply.github.com>
Date: Mon, 20 Mar 2023 05:12:35 -0700
Subject: [PATCH] docs(misconf): Add information about selectors (#3703)

Signed-off-by: Simar <simar@linux.com>
---
 .../docs/misconfiguration/custom/selectors.md | 51 +++++++++++++++++++
 mkdocs.yml                                    |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 docs/docs/misconfiguration/custom/selectors.md

diff --git a/docs/docs/misconfiguration/custom/selectors.md b/docs/docs/misconfiguration/custom/selectors.md
new file mode 100644
index 00000000000..3def3d8e9a2
--- /dev/null
+++ b/docs/docs/misconfiguration/custom/selectors.md
@@ -0,0 +1,51 @@
+# Input Selectors
+
+## Overview
+Sometimes you might want to limit a certain policy to only be run on certain resources. This can be
+achieved with input selectors.
+
+## Use case
+For instance, if you have a custom policy that you only want to be evaluated if a certain resource type is being scanned.
+In such a case you could utilize input selectors to limit its evaluation on only those resources.
+
+!!! example
+    ```
+        # METADATA
+        # title: "RDS Publicly Accessible"
+        # description: "Ensures RDS instances are not launched into the public cloud."
+        # custom:
+        #   input:
+        #     selector:
+        #     - type: cloud
+        #       subtypes:
+        #         - provider: aws
+        #           service: rds
+        package builtin.aws.rds.aws0999
+
+        deny[res] {
+        instance := input.aws.rds.instances[_]
+        instance.publicaccess.value
+        res := result.new("Instance has Public Access enabled", instance.publicaccess)
+    ```
+
+Observe the following `subtypes` defined:
+```yaml
+        #       subtypes:
+        #         - provider: aws
+        #           service: rds
+```
+
+They will ensure that the policy is only run when the input to such a policy contains an `RDS` instance. 
+
+## Enabling selectors and subtypes
+Currently, the following are supported:
+
+| Selector                 | Subtype fields required | Example                         |
+|--------------------------|-------------------------|---------------------------------|
+| Cloud (AWS, Azure, etc.) | `provider`, `service`   | `provider: aws`, `service: rds` |
+| Kubernetes               |                         | `type: kubernetes`              |
+| Dockerfile               |                         | `type: dockerfile`              |
+
+
+## Default behaviour
+If no subtypes or selectors are specified, the policy will be evaluated regardless of input.
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index 56dc2bbfa93..89bbfb26c14 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -71,6 +71,7 @@ nav:
               - Overview: docs/misconfiguration/custom/index.md
               - Data: docs/misconfiguration/custom/data.md
               - Combine: docs/misconfiguration/custom/combine.md
+              - Selectors: docs/misconfiguration/custom/selectors.md
               - Schemas: docs/misconfiguration/custom/schema.md
               - Testing: docs/misconfiguration/custom/testing.md
               - Debugging Policies: docs/misconfiguration/custom/debug.md