Reglet

Compliance as Code. Secure by Design.

Reglet is a compliance and infrastructure validation engine that runs security checks in isolated WebAssembly sandboxes. Define policies as code, validate systems and services, and get standardized audit output ready for SOC2, ISO27001, and more.

Quick Start

# brew not available for pre-release
brew install reglet-dev/tap/reglet           # macOS/Linux
# Install (choose one)
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha # Docker
curl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | sh  # Script

# Get an example profile
curl -fsSL https://raw.githubusercontent.com/reglet-dev/reglet/main/docs/examples/01-quickstart.yaml > quickstart.yaml

# Or create your own with the interactive wizard
reglet init

# Run it
reglet check quickstart.yaml

# Or with Docker
docker run --rm -v $(pwd)/quickstart.yaml:/quickstart.yaml \
  ghcr.io/reglet-dev/reglet:v0.2.0-alpha check /quickstart.yaml

Usage

# Create a new profile interactively
reglet init

# Create a profile with flags (for CI/scripts)
reglet init --name=my-profile --plugins=file,http

# Run compliance checks
reglet check profile.yaml

# Preview execution plan (dry-run)
reglet plan profile.yaml
reglet plan profile.yaml --tree         # Show execution flow diagram
reglet plan profile.yaml --details      # Show observations and expectations

# Validate profile syntax (fast, no execution)
reglet validate profile.yaml
reglet validate profile.yaml --stats    # Show profile statistics
reglet validate profile.yaml --skip-expects  # Skip expect expression validation

# Output formats
reglet check profile.yaml --format=json
reglet check profile.yaml --format=sarif -o results.sarif
reglet check profile.yaml --details        # Show detailed evidence

# Quiet mode for CI/scripts
reglet check profile.yaml --quiet

# Debug mode
reglet check profile.yaml --log-level=debug

# Filter controls
reglet check profile.yaml --tags security
reglet check profile.yaml --severity critical,high

# Watch mode (continuous monitoring)
reglet check profile.yaml --watch              # Re-run on file changes
reglet check profile.yaml --watch --interval=500ms  # Custom debounce

# Plugin management (OCI registries)
reglet plugins pull ghcr.io/reglet-dev/plugins/aws:1.0.0
reglet plugins list
reglet plugins push my-plugin.wasm ghcr.io/myorg/my-plugin:1.0.0
reglet plugins prune --keep 3

# Remote profiles
reglet check https://example.com/compliance.yaml
reglet check https://example.com/profile.yaml#v1.2.0  # Pinned version
reglet check https://example.com/profile.yaml --refresh  # Force re-fetch

# Profile cache management
reglet profile list       # List cached profiles
reglet profile pull <url> # Pre-fetch a profile
reglet profile prune      # Remove expired profiles
reglet profile outdated   # Check for updates

Creating Your First Profile

The reglet init command guides you through creating a starter profile:

# Interactive wizard
reglet init

# Non-interactive for CI/CD
reglet init --name=my-profile --plugins=file,http
reglet init --name=production --plugins=file,command --output=./profiles/prod.yaml
reglet init --name=baseline --plugins=file,http,dns --with-config
reglet init --name=test --plugins=file --force  # Overwrite existing

Available Plugins: file, http, dns, tcp, command, smtp

Generated Files:

• Profile (./reglet-profile.yaml) - YAML with example controls for each selected plugin
• Config (~/.reglet/config.yaml) - Optional system config with capability grants (use --with-config)

Features

• Declarative Profiles - Define validation rules in simple, versioned YAML
• Watch Mode - Continuous monitoring with automatic re-checks on file changes
• Parallel Execution - Optimized for CI/CD with concurrent execution of independent controls
• Loop Observations - Execute checks across multiple items with variable substitution (loop: { items: "{{ .vars.files }}" })
• Standardized Output - JSON, YAML, JUnit, SARIF - ready for compliance platforms or OSCAL integration (coming soon)
• Secure Sandbox - All validation logic runs inside a CGO-free WebAssembly runtime (wazero)
• Capability-Based Security - Plugins can only access files, networks, or environment variables if explicitly allowed
• Secret Management - Resolve secrets from environment variables, files, or local config with {{ secret "name" }} syntax
• Automatic Redaction - Sensitive data (secrets, tokens) is automatically detected and redacted before reporting
• OCI Plugin Registry - Distribute and version plugins via OCI-compliant registries (GHCR, DockerHub, Harbor)
• Reproducible Builds - Lockfiles (reglet.lock) pin exact plugin versions and digests for consistent execution

What Can It Validate?

Plugin	Use Case
file	Permissions, ownership, content patterns
command	Exit codes, output content
http	HTTP/HTTPS endpoints, response validation
dns	DNS records and resolution
tcp	Port connectivity, TLS certificates
smtp	Mail server connectivity

See examples/ for working profiles.

Security Model

Reglet uses capability-based security - plugins can only access what's explicitly granted:

• Automatic Discovery: Permissions are extracted from your profile (e.g., path: /etc/passwd grants read to only that file)
• No Broad Access: Unlike scripts with full host access, plugins are sandboxed
• Security Levels: Control how Reglet handles risky patterns:
  • strict - Deny broad capabilities automatically
  • standard - Warn and prompt before granting (default)
  • permissive - Auto-grant for trusted environments

# ~/.reglet/config.yaml
security:
  level: standard  # strict, standard, or permissive

See docs/security.md for the full security architecture.

Secret Management

Reglet supports secure secret resolution via {{ secret "name" }} syntax in profiles:

# ~/.reglet/config.yaml
sensitive_data:
  secrets:
    # Environment variable mapping
    env:
      api_token: API_TOKEN        # {{ secret "api_token" }} resolves from $API_TOKEN
      db_password: DATABASE_PASS

    # File-based secrets (admin-controlled paths)
    files:
      ssh_key: /etc/reglet/secrets/ssh.key

    # Local secrets (development only - never commit!)
    local:
      dev_token: "local-dev-value"

Secrets are automatically:

• Tracked and redacted from all output (evidence, logs, errors)
• Protected in memory with zeroing when possible
• Never logged in plaintext

Example usage in a profile:

controls:
  items:
    - id: api-health
      name: API health check with authentication
      observations:
        - plugin: http
          config:
            url: https://api.example.com/health
            headers:
              Authorization: "Bearer {{ secret \"api_token\" }}"
          expect: |
            data.status_code == 200

Loop Observations

Reglet supports looping over multiple items in a single observation, allowing you to validate similar resources without duplicating control definitions:

vars:
  critical_files:
    - /etc/passwd
    - /etc/shadow
    - /etc/sudoers

controls:
  items:
    - id: file-permissions
      name: Critical files have restricted permissions
      observations:
        - plugin: file
          loop:
            items: "{{ .vars.critical_files }}"
          config:
            path: "{{ .loop.item }}"
            mode: exists
          expect: |
            data.exists == true &&
            data.permissions.startsWith("-rw-------")

Loop Features:

• Variable Expansion: Reference variables with {{ .vars.name }}
• Loop Context: Access current item with {{ .loop.item }}, index with {{ .loop.index }}
• Custom Variable Names: Use as: filename to access items as {{ .filename }}
• Status Aggregation: Loop passes only if all items pass
• Capability Discovery: Each loop item gets specific permissions (not broad wildcards)

Loop Context Variables:

• .loop.item - Current item value
• .loop.index - Zero-based index (0, 1, 2...)
• .loop.first - Boolean, true for first item
• .loop.last - Boolean, true for last item
• .loop.length - Total number of items

Example with custom variable name:

vars:
  servers:
    - { name: web-1, host: 10.0.1.10 }
    - { name: web-2, host: 10.0.1.11 }

controls:
  items:
    - id: server-health
      name: All web servers are responding
      observations:
        - plugin: tcp
          loop:
            items: "{{ .vars.servers }}"
            as: server
          config:
            host: "{{ .server.host }}"
            port: 443
          expect: |
            data.connected == true

CLI Variable Overrides

Override or inject profile variables at runtime without modifying the profile file:

# Override existing variable
reglet check profile.yaml --set environment=prod

# Override nested variables with dot notation
reglet check profile.yaml --set server.host=prod.example.com --set server.port=443

# Auto-detect types: integers, floats, booleans
reglet check profile.yaml --set port=8080 --set debug=true --set timeout=30.5

# Read sensitive values from file (not logged to shell history)
reglet check profile.yaml --set-file api_key=/path/to/secret.txt

# Read values from environment variables (ideal for CI/CD)
reglet check profile.yaml --set-env build_id=CI_COMMIT_SHA

# Combine multiple sources
reglet check profile.yaml \
  --set environment=prod \
  --set-env api_key=API_KEY \
  --set-file db_password=/secrets/db.txt

Features:

• Type Detection: Automatically detects integers, floats, and booleans (conservative rules)
• Nested Paths: Use dot notation (paths.config=/opt) for nested map overrides
• Secure Options: --set-file and --set-env avoid shell history exposure
• Last Wins: When the same key is specified multiple times, the last value wins
• Unused Warnings: Get warnings for CLI vars not referenced in the profile (suppress with --no-warn-unused-vars)

Security:

• CLI values are treated as literal strings, never re-parsed as templates
• Use --set-file or --set-env for sensitive values in CI/CD pipelines
• Values from --set appear in shell history; prefer --set-file for secrets

Plugin Management

Reglet supports distributing plugins via OCI-compliant registries (GHCR, DockerHub, Harbor, etc.):

# Pull a plugin from a registry
reglet plugins pull ghcr.io/reglet-dev/plugins/aws:1.0.0

# List cached plugins
reglet plugins list

# Push your own plugin
reglet plugins push ./my-plugin.wasm ghcr.io/myorg/my-plugin:1.0.0

# Clean up old versions
reglet plugins prune --keep 3

Plugins can be referenced in profiles by:

• Built-in name: file, http, dns (embedded in binary)
• Local path: ./plugins/custom.wasm
• OCI reference: ghcr.io/reglet-dev/plugins/aws:1.0.0

Lockfile for Reproducible Builds

Generate a lockfile to pin exact plugin versions and digests:

# Generate lockfile
reglet check profile.yaml  # Creates reglet.lock

# Verify plugins match lockfile
reglet check profile.yaml  # Validates digests

The lockfile (reglet.lock) ensures:

• Reproducible builds - Same plugin versions across environments
• Integrity verification - Cryptographic digest validation
• Supply chain security - Detect tampering or version drift

Remote Profiles

Run compliance checks directly from remote URLs:

reglet check https://company.github.io/compliance/soc2.yaml
reglet check https://example.com/profile.yaml#v1.2.0  # Version pinning
reglet profile list                                    # Manage cache

Features: SSRF protection, DNS rebinding protection, hash verification, trusted sources config.

See docs/remote-profiles.md for full documentation.

Example Profile

profile:
  name: SSH Security
  description: Check SSH configuration
  version: 1.0.0

plugins:
  - file

controls:
  items:
    - id: sshd-config
      name: SSH password authentication disabled
      observations:
        - plugin: file
          config:
            path: /etc/ssh/sshd_config
          expect: |
            data.content.contains("PasswordAuthentication no")

Installation

Homebrew (macOS/Linux)

Note: pre-release is not available via Homebrew

brew install reglet-dev/tap/reglet
reglet version

Docker

# Pull image
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha

# Quick version check
docker run --rm ghcr.io/reglet-dev/reglet:v0.2.0-alpha version

# Run with profile from host
docker run --rm -v $(pwd)/profile.yaml:/profile.yaml \
  ghcr.io/reglet-dev/reglet:latest check /profile.yaml

# Try built-in examples
docker run --rm ghcr.io/reglet-dev/reglet:latest \
  check /home/reglet/docs/examples/01-quickstart.yaml

Install Script (Linux/macOS)

curl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | sh

Manual Download

Download the appropriate archive for your platform from the releases page, extract it, and move the binary to your PATH:

# Linux/macOS
tar -xzf reglet-*.tar.gz
sudo mv reglet /usr/local/bin/
reglet version

# Windows (PowerShell)
Expand-Archive reglet-*.zip
Move-Item reglet.exe C:\Windows\System32\
reglet version

From Source

Requires Go 1.25+:

git clone https://github.com/reglet-dev/reglet.git
cd reglet
make build
./bin/reglet check docs/examples/01-quickstart.yaml

Examples

• 01-quickstart.yaml - Basic system security checks
• 02-ssh-hardening.yaml - SSH hardening (SOC2 CC6.1)
• 03-web-security.yaml - HTTP/HTTPS validation
• 04-dns-validation.yaml - DNS resolution and records
• 05-tcp-connectivity.yaml - TCP ports and TLS testing
• 06-command-checks.yaml - Command execution and output validation
• 07-vars-and-defaults.yaml - Variables and control defaults
• 08-loops-demo.yaml - Loop observations with variable substitution
• 20-cli-variable-overrides.yaml - CLI variable override examples
• 99-comprehensive-showcase.yaml - Complete feature reference (all plugins, dependencies, retries)

Status: Alpha (Released: v0.4.0-alpha Development: v0.5.0-alpha)

Reglet is in active development. Core features work, but expect breaking changes before 1.0.

Roadmap

v0.2.0-alpha (Released)

• Core execution engine with parallel execution
• Plugins: File, HTTP, DNS, TCP, Command, SMTP
• Capability system with profile-based discovery
• Configurable security levels (strict/standard/permissive)
• Automatic secret redaction
• Output formatters (Table, JSON, YAML, JUnit, SARIF)
• Binary releases for Linux/macOS/Windows (amd64/arm64)
• Docker images (GHCR multi-arch)
• Homebrew tap
• Automated releases with goreleaser

v0.3.0-alpha (Released)

• Profile inheritance (extends: field)
• Retry and backoff for resilient execution
• Secret management (env/files/local resolution)
• Evidence artifacts and size limits (size, count)
• Global timeout

v0.3.5-alpha (Released)

• Lockfile for reproducible plugin versions (reglet.lock)
• OCI-based plugin registry (GHCR, DockerHub, Harbor)
• Plugin management commands (pull, push, list, prune)
• Hybrid plugin resolution (embedded → cache → registry)
• Digest verification for supply chain security
• Signature verification scaffolding (Cosign/Sigstore)

v0.4.0-alpha (Released)

• Tag and severity filtering
• reglet init (interactive wizard)
• reglet plan (dry-run validation)
• reglet validate (schema and syntax validation)
• --watch mode (live feedback on file changes)
• Looping (loop: { items: "{{ .vars.list }}" })

v0.4.5-alpha (Released)

• CLI vars (--set, --set-file, --set-env)
• Remote profiles (reglet check https://...)
• Profile cache management (reglet profile list/pull/prune/outdated)
• Trusted sources configuration
• Version pinning (#v1.2.0, @sha256:...)
• Plugin SDK (Go) Enhanced
• integrate Enhanced SDK into Reglet

v0.5.0-alpha (Current)

• AWS plugin
• GCP plugin
• Azure plugin
• Terraform plugin
• Kubernetes plugin

v0.6.0-alpha (GitHub Action & CI/CD)

• GitHub Action
• GitLab CI template
• OIDC authentication

v0.7.0-alpha (OSCAL & Evidence)

• OSCAL output (assessment results)
• Evidence collection and artifact management
• POA&M generation

v1.0 GA (Compliance Packs)

• Remote pack registry (reglet packs)
• SOC2 pack
• ISO27001 pack
• CIS Linux pack
• Complete Cosign signature verification

Community

We welcome contributions! Please see our Contributing Guide and Code of Conduct.

• Issues: GitHub Issues
• Discussions: GitHub Discussions

License

Apache-2.0 - See LICENSE