Skip to content

API-ASSURE Type Policies

API-type policies build upon the foundation established by ASSURE policies, incorporating the significant advantage of directly specifying within the policy all the necessary details for retrieving target information from API endpoints—typically those related to configuration.

This information, once gathered, is subsequently analyzed using ASSURE patterns to affirm compliance and ensure that the output values from these API calls align with the expected standards and configurations.

This enhancement effectively bridges the gap between static policy enforcement and dynamic data retrieval, allowing for a seamless integration of real-time API data into the compliance verification process. By leveraging API-type policies, organizations can extend their compliance checks beyond static codebase analysis to include live configuration data, ensuring a comprehensive coverage of compliance and security standards across both code and configuration environments.

Such policies empower organizations to automate the monitoring and validation of configurations across various services and platforms, ensuring that the infrastructure not only remains compliant at the time of deployment but also continues to adhere to required standards as configurations evolve and change over time.


This Policy type gets even better with the addition of CUE lang schema validation or REGO policies.


The setup

intercept config -r 
intercept config -a /app/examples/policy/api.yaml

export INTERCEPT_BAUTH=user:pass
intercept api 

cat intercept.api.full.sarif.json


All rule types can be filtered by a combination of TAGS, ENVIRONMENT name and their own ENFORCEMENT levels. Make sure to explore it.

The Policy


 - name: API value check
    id: 105
    description: Sandbox API check
    error: Misconfiguration or omission
    tags: KEY
    type: api
    fatal: false
    enforcement: true
    environment: all
    confidence: high
    api_insecure: false
    api_request: POST
    api_body: |
      {"employee":{ "name":"Emma", "age":28, "city":"Boston" }} 
    api_auth: basic
    api_auth_basic: BAUTH
    - \s*\"url\"\s*:\s*\"\"\s*

SARIF Output

  "version": "2.1.0",
  "$schema": "",
  "runs": [
    ... REDACTED
      "results": [
          "ruleId": " API VALUE CHECK",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Sandbox API check"
          "locations": [
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "output_105"
                "region": {
                  "startLine": 23,
                  "endLine": 23,
                  "snippet": {
                    "text": " \n  \"url\": \"\""

Console Output

 API Rule # 105
 Rule name :  API value check
 Rule description :  Sandbox API check
 Impacted Env :  all
 Tags :  KEY
 105 API Gathering Data : OK
 API Response Status: 200 OK
  24:  "url": ""

Run it

docker pull

docker run -v --rm -w $PWD -v $PWD:$PWD -e TERM=xterm-256color intercept config -a examples/policy/api.yaml

docker run -v --rm -w $PWD -v $PWD:$PWD -e INTERCEPT_BAUTH=user:pass -e TERM=xterm-256color intercept api