The fugue test command enables you to test a rule by providing Fugue with a scan ID from a selected point in time. The scan ID points to a “snapshot” of the resource configuration at the time of the scan, which is the test data your rule is evaluated against.

Because Fugue only needs the scan ID, retrieving a copy of the test input — the resource configuration recorded in the scan — is purely for your own benefit. The reason you’d want to do so is to facilitate the process of writing a rule. It’s much easier to write a rule when you can look at the structure of the input document, because you can find the name of the property you’re looking for and where it’s nested inside the input. This information is critical to crafting the rule query and telling Fugue which property and value to check.

To learn more about custom rules, see Custom Rules.


Test custom rules

  fugue test [command]

 Available Commands:
  rule        Test a custom rule

  -h, --help   help for test

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Use "fugue test [command] --help" for more information about a command.

test rule

Test a custom rule

  fugue test rule [rego file] [flags]

  -h, --help                   help for rule
      --resource-type string   Resource type
      --scan string            Scan ID

Global Flags:
      --output string   The formatting style for command output [table | json] (default "table")

Output Attributes

Test Rule Output

The fugue test rule output includes the following attributes:


ID of the tested resource.


Whether the resource passed (is compliant with the rule) or failed (is noncompliant). Values - PASS, FAIL


Type of the tested resource.


Testing a rule

To test a rule, use the fugue test rule command. The [rego filename] argument, --resource-type flag, and --scan flag are required:

fugue test rule vpc-cidr-size.rego --resource-type "AWS.EC2.Vpc" --scan 8576a1b3-2f72-4e1d-902a-c81f22222222

To learn how to find the correct resource type for simple rules, see AWS & AWS GovCloud and Azure & Azure Government. Advanced custom rules always use the resource type MULTIPLE.

To learn how to find your scan ID, see fugue list scans.