Policyglass

Policyglass is a small, production-minded tool for checking filesystem structure and content against a declarative YAML policy.

It is meant for the gap between ad hoc shell scripts and heavyweight compliance systems: repository hygiene, release validation, and CI guardrails.

Core idea

Write a policy once, then enforce it everywhere:

• locally before release
• in CI on every push
• against generated artifacts
• in packaging or handoff steps

Example

version: 1
required_paths:
  - README.md
  - src/
forbidden_globs:
  - '*.pem'
ignore_globs:
  - '.git/'
size_limits:
  - glob: 'dist/*.whl'
    max_bytes: 10000000
forbidden_content_patterns:
  - pattern: 'AKIA[0-9A-Z]{16}'
    message: 'Possible AWS key'

policyglass check . --policy policyglass.yml

What makes it useful

Explicit rules

Policyglass favors obvious YAML over magical inference. The rule model is intentionally narrow so teams can understand exactly what is being enforced.

Human and machine output

Use text output during local development and JSON output in CI or automation.

Maintainable implementation

The codebase is split into a policy loader, scanner, formatter layer, and CLI wrapper. That keeps tests focused and extension work predictable.

Current rule types

• required paths
• forbidden globs
• per-glob size limits
• forbidden regex patterns in file content

Non-goals

Policyglass is not trying to be:

• a secret scanner replacement
• a full policy-as-code platform
• a filesystem watcher or daemon
• a remote artifact inventory system

Next steps

• Read Getting started
• Review the CLI reference
• Review the policy file reference
• See the CI guide