fugue test command enables you to test a rule by providing Fugue with a scan ID from a selected point in time. The scan ID points to a “snapshot” of the resource configuration at the time of the scan, which is the test data your rule is evaluated against.
Because Fugue only needs the scan ID, retrieving a copy of the test input — the resource configuration recorded in the scan — is purely for your own benefit. The reason you’d want to do so is to facilitate the process of writing a rule. It’s much easier to write a rule when you can look at the structure of the input document, because you can find the name of the property you’re looking for and where it’s nested inside the input. This information is critical to crafting the rule query and telling Fugue which property and value to check.
To learn more about custom rules, see Custom Rules.
Test custom rules Usage: fugue test [command] Available Commands: rule Test a custom rule Flags: -h, --help help for test Global Flags: --output string The formatting style for command output [table | json] (default "table") Use "fugue test [command] --help" for more information about a command.
Test a custom rule Usage: fugue test rule [rego file] [flags] Flags: -h, --help help for rule --resource-type string Resource type --scan string Scan ID Global Flags: --output string The formatting style for command output [table | json] (default "table")
Testing a rule¶
To test a rule, use the fugue test rule command. The
[rego filename] argument,
--resource-type flag, and
--scan flag are required:
fugue test rule vpc-cidr-size.rego --resource-type "AWS.EC2.Vpc" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222
To learn how to find your scan ID, see fugue list scans.