Skip to content

chore(sdks): Bootstrap Go and Javascript policy sdks #2591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 3, 2025
Merged

chore(sdks): Bootstrap Go and Javascript policy sdks #2591

merged 4 commits into from
Dec 3, 2025

Conversation

@javirln
Copy link
Member

@javirln javirln commented Dec 1, 2025
edited
Loading

This PR introduces the initial bootstrap of the SDKs for Golang and Javascript to write custom policies with them. For the moment, chainloop policy develop init does not creates the skeleton of the policies but it will in a future version of it.

The SDKs are meant to ease the development of policies in these two languages.

Implementation

Go SDK (policies/go/)

  • TinyGo-based SDK compiling to WASM
  • Simple API: Run(), GetMaterialJSON(), Success(), Fail(), Skip()
  • Built-in HTTP support with hostname restrictions
  • Artifact discovery via Discover() builtin
  • Full logging support (LogInfo, LogDebug, LogWarn, LogError)
  • Policy arguments with GetArgs() and GetArgStringDefault()

JavaScript SDK (policies/js/)

  • Extism JS-based SDK compiling to WASM
  • Modular architecture: separate files for material, args, http, logging, result, discover
  • CommonJS module exports via index.js
  • Same feature parity as Go SDK
  • Compatible with esbuild bundling

Shared Features

  • Material extraction (JSON, string, bytes)
  • Result building with violations
  • HTTP requests with allowed hostname restrictions
  • Artifact graph discovery
  • Skip/Success/Fail result states

Examples

5 complete examples per SDK: simple, sbom, attestation, http, discover

Builtin Function Namespace Support

WASM runtimes use different namespace conventions by language:

  • Go/TinyGo: Expects host functions in env namespace (WASI standard)
  • JavaScript/Extism: Expects host functions in extism:host/user namespace

The discover builtin is registered in both namespaces with identical implementation, enabling cross-language compatibility without code duplication.

Discover

As introduced in the rego engine, now the discover function is also available in the WASM engine. As expected it outputs the same result:

Javascript

❯ ./chainloop policy devel eval --material ghcr.io/chainloop-dev/chainloop/control-plane:v1.57.0-amd64 --policy policies/js/examples/discover/policy.yaml
INF Discovering artifacts related to: sha256:2680364af8645b2ded3e52df0f3aa4a7fbcceee57f2868c6a40132da47e2cb3f policy=policy-builtins
INF Found 1 references for artifact sha256:2680364af8645b2ded3e52df0f3aa4a7fbcceee57f2868c6a40132da47e2cb3f policy=policy-builtins
INF Checking attestation: sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d policy=policy-builtins
ERR attestation with digest sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d contains policy violations [name: release, project: chainloop, org: read-only-demo] policy=policy-builtins
ERR Validation failed: found attestations with policy violations policy=policy-builtins
{
   "result": {
      "violations": [
         "attestation with digest sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d contains policy violations [name: release, project: chainloop, org: read-only-demo]"
      ],
      "skip_reasons": [],
      "skipped": false
   }
}

Golang

❯ ./chainloop policy devel eval --material ghcr.io/chainloop-dev/chainloop/control-plane:v1.57.0-amd64 --policy policies/go/examples/discover/policy.yaml
INF Discovering artifacts related to: sha256:2680364af8645b2ded3e52df0f3aa4a7fbcceee57f2868c6a40132da47e2cb3f policy=policy-builtins
INF Found 1 references for artifact sha256:2680364af8645b2ded3e52df0f3aa4a7fbcceee57f2868c6a40132da47e2cb3f policy=policy-builtins
INF Checking attestation: sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d policy=policy-builtins
ERR attestation with digest sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d contains policy violations [name: release, project: chainloop, org: read-only-demo] policy=policy-builtins
ERR Validation failed: found attestations with policy violations policy=policy-builtins
{
   "result": {
      "violations": [
         "attestation with digest sha256:5d2ae3589cd46277fb83b1e9a3eb4c58dfb0c1e042729520119ed0533ef7cd6d contains policy violations [name: release, project: chainloop, org: read-only-demo]"
      ],
      "skip_reasons": [],
      "skipped": false
   }
}

@javirln
chore(sdks): Bootstrap Go and Javascript policy sdks
59fb426 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln self-assigned this Dec 1, 2025
@javirln
fix linter and test
520fe7e 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
add missing directory on package.json
0a6dbd8 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
modifies name of sdks to policies
e6bc157 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
jiparis
jiparis approved these changes Dec 3, 2025
View reviewed changes
Copy link
Member

@jiparis jiparis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @javirln! This is a great addition

app/cli/internal/policydevel/eval.go

opts = append(opts, policies.WithIncludeRawData(debug))
opts = append(opts, policies.WithEnablePrint(enablePrint))
opts = append(opts, policies.WithGRPCConn(grpcConn))
Copy link
Member

@jiparis jiparis Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if the Rego engine can also leverage this option. We can review it in a future change.

Copy link
Member Author

@javirln javirln Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oki!

@javirln
Copy link
Member Author

javirln commented Dec 3, 2025

Thanks @jiparis :)

@javirln javirln merged commit ba60911 into chainloop-dev:main Dec 3, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis jiparis approved these changes

@migmartri migmartri Awaiting requested review from migmartri

@Piskoo Piskoo Awaiting requested review from Piskoo

Assignees

@javirln javirln

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@javirln @jiparis