Define security, governance, and compliance rules as living, executable Markdown documents. Replace manual audits with continuous, verifiable validation.
Policies as Code is the practice of writing, testing, and managing policies (security, compliance, governance) using version-controlled code. Instead of relying on static documents that quickly become outdated, PaC turns compliance into a dynamic, automated check run directly against live infrastructure and data.
For organizations, PaC eliminates the risk associated with "Evidence not available" errors by automatically gathering, validating, and presenting audit proof every time the policy is executed.
The Organization's Access Control Policy mandates that all users must enable Multi-Factor Authentication (MFA). We translate this human-readable rule into an automated, executable Spry runbook.
Goal: Automatically query the identity provider (e.g., Keycloak, Azure AD), identify non-compliant users, and generate a definitive PASS/FAIL audit report.
query-idp-usersThe policy starts by querying the source of truth for user access. This Spry task simulates calling the Identity Provider's (IdP) API to fetch all active user accounts and their raw MFA status.
```bash query-idp-users -C ./.tmp-idp-users.json --descr "Fetch users and MFA status from Identity Provider API"
#!/usr/bin/env -S bash
# Conceptual API call to IdP (e.g., Keycloak). Replace with actual logic.
# Response structure: [{"username": "user_a", "mfa_enabled": true}, ...]
echo '[
{"username": "jdoe", "mfa_enabled": ["true"]},
{"username": "asmith", "mfa_enabled": ["false"]},
{"username": "bwilson", "mfa_enabled": ["true"]}
]' > ./.tmp-idp-users.json
```generate-compliance-report
This task contains the core Policy Logic. It reads the raw data from Step 1, applies the compliance rule (MFA must be `true`), and explicitly calculates the number of compliant and non-compliant accounts using jq.
The script generates a summary report and uses the exit code (0/1) to signal compliance status in a CI/CD environment.
```bash generate-compliance-report --dep query-idp-users -C ./.tmp-mfa-report.md --descr "Filter users and generate final report"
#!/usr/bin/env -S bash
USERS_DATA=$(cat ./.tmp-idp-users.json)
PASS_USERS=$(echo "$USERS_DATA" | jq -r '.[] | select(.mfa_enabled | join("") == "true") | .username')
FAIL_USERS=$(echo "$USERS_DATA" | jq -r '.[] | select(.mfa_enabled | join("") != "true") | .username')
PASS_COUNT=$(echo "$PASS_USERS" | wc -l)
FAIL_COUNT=$(echo "$FAIL_USERS" | wc -l)
# Generate the compliance markdown report
cat << EOF > ./.tmp-mfa-report.md
## Policy Compliance Report: MFA (2FA)
| Metric | Value | Compliance Status |
| :--- | :--- | :--- |
| Total Users Checked | $(($PASS_COUNT + $FAIL_COUNT)) | |
| MFA Enabled (PASS) | $PASS_COUNT | $( [ "$FAIL_COUNT" -eq 0 ] && echo "✅ FULLY COMPLIANT" || echo "⚠️ NON-COMPLIANT" ) |
| MFA Disabled (FAIL) | $FAIL_COUNT | |
### 🛑 Non-Compliant Users (MFA Disabled)
\`\`\`
$FAIL_USERS
\`\`\`
EOF
# Set exit code for CI/CD pipeline integration
if [ "$FAIL_COUNT" -gt 0 ]; then
exit 1
else
exit 0
fi
```show-evidenceThe final task displays the official audit evidence (the report generated in Step 2). This demonstrates how Spry replaces the manual evidence collection step with a simple command, providing immediate, verifiable compliance status.
Execution Command: ./spry.ts task show-evidence
```bash show-evidence --dep generate-compliance-report --descr "Display and log the final compliance evidence"
#!/usr/bin/env -S bash
echo "----------------------------------------------------------"
echo " THE ORGANIZATION: MFA COMPLIANCE AUDIT REPORT "
echo "----------------------------------------------------------"
cat ./.tmp-mfa-report.md
echo "----------------------------------------------------------"
```curl) to rule evaluation (jq), is visible and versioned in the Markdown file, ensuring transparency for auditors and developers alike.