Compliance View
The Compliance View describes compliance violations for Kubernetes, Terraform, and Custom Systems and Stacks in Styra DAS.
When working with compliance violations and the compliance API, some considerations to keep in mind include:
- Compliance violations are by default evaluated every hour for each System. The date and time of the last automatic evaluation of compliance violations is shown in the UI in the associated System or Stack Compliance tab, and is also returned as the
created_atvalue in compliance API responses. - The latest compliance violation results are cached to avoid re-evaluating results more often than needed.
- Compliance violations APIs are paginated. It is recommended to always include the
limitparameter in compliance API requests. To avoid potential request timeouts, alimitvalue no greater than1500is recommended. - Users can trigger re-evaluation of compliance violations outside of the hourly cadence via the "Scan for violations" button in the UI in the associated System or Stack Compliance tab or via the API.
- The compliance violation evaluation process in some cases may take up to several minutes, depending on the number of rules and the size of the datasource input. In these circumstances, to avoid an HTTP timeout, the API will return a 202 response while violations are evaluated asynchronously.
- Only Kubernetes systems support extended compliance mode and should always use the extended compliance mode for the most details results. For all other system types,
extendedshould be set tofalse.
Download Compliance Violations
Users may wish to download the current compliance violations for more complex data analysis in an external tool. To download the currently cached compliance violations (without triggering re-evaluation), use the ValidateSystemCompliance or ValidateStackCompliance API operations with interval set to latest. Additionally, users should always set asyncdelay and limit (recommended values are 5s and 1500, respectively).
For example, to fetch the compliance violations for a Kubernetes system with less than 1,500 violations and output the API response to a JSON file, use curl like so:
curl -H "Authorization: Bearer ${STYRA_API_TOKEN}" \
-H "Content-Type: application/json" \
-X POST https://<das-id>.styra.com/v1/systems/<system-id>/validate/compliance?interval=latest&asyncdelay=5s \
-d '{"mode":"all","extended":true,"limit":1500}' > violations_response.json
To save only the compliance violations to a JSON file, use a tool like jq to extract the result parameter like so:
curl -H "Authorization: Bearer ${STYRA_API_TOKEN}" \
-H "Content-Type: application/json" \
-X POST https://<das-id>.styra.com/v1/systems/<system-id>/validate/compliance?interval=latest&asyncdelay=5s \
-d '{"mode":"all","extended":true,"limit":1500}' | jq -r '.result' > violations.json
Working with Large Violation Counts
If a system and stack has more than 1,500 Compliance violations, the UI will automatically truncate the list of violations shown. To fetch additionally violations, you can use the compliance APIs.
First, use the ValidateSystemCompliance or ValidateStackCompliance API operation with a recommended limit of 1500 to fetch the first page of violations. When there are more violations available than the specified limit, the API response will include the cursor parameter.
For example, using curl to fetch a system's first page of compliance violations when there are more than 1,500 violations:
$ curl -H "Authorization: Bearer ${STYRA_API_TOKEN}" \
-H "Content-Type: application/json" \
-X POST https://<das-id>.styra.com/v1/systems/<system-id>/validate/compliance?interval=latest&asyncdelay=5s \
-d '{"mode":"all","extended":true,"limit":1500}'
{"cursor":"KLUv_QQAnQQAskkgHlAHLAAR6pFtLY7LiZW9-ZHmeTGtaFGBLATWMAx1BA8XuiBdvWEaH_whaA9uc05nPzkjUuTrbSYOlZsl5cUsw9JC1yFOhgrswWmAqIQcbBVJ4hjZtFYqUgCx3BDD7WI4p-mCtusH9KskCAEAdefmzyHcq3Ob8YcZ2uqNm-z-1CMEBABHIwoXsnKiBTzYdeoBLG860z",
"mocks":{...},
"request_id":"19d56126-d8e2-41p1-9316-7d4180438122",
"result":{...}}
Use the GetNextPageOfSystemComplianceViolations or GetNextPageOfStackComplianceViolations API operations with the previous result's cursor value and limit of 1500 to fetch the next page. If a cursor value is returned in this API response, repeat this process to fetch additional pages.
For Kubernetes Systems or Stacks with a large number of violations, review the resulting violations along with the Kubernetes Data Source Agent configuration to determine if the scope of cluster resources collected by the Styra Data Source Agent is too broad. Collecting cluster resources not evaluated by policies or cluster resources which should be excluded from policy evaluation may result in irrelevant Compliance violations. Use the selectors, masks, and namespaces in the Data Source Agent configuration to reduce the scope of collected cluster resources.
Re-evaluate Compliance Violations via API
To trigger re-evaluation of System or Stack compliance violations via the API outside of the usual hourly cadence of compliance evaluation, use the ValidateSystemCompliance or ValidateStackCompliance API operations omitting the interval parameter.
For example:
curl -H "Authorization: Bearer ${STYRA_API_TOKEN}" \
-H "Content-Type: application/json" \
-X POST https://<das-id>.styra.com/v1/systems/<system-id>/validate/compliance?asyncdelay=5s \
-d '{"mode":"all","extended":true,"limit":1500}'
If the compliance violations result is not returned within 5 seconds, the API moves compliance violation evaluation to an asynchronous process to avoid an API timeout. Instead of the usual 200 response, the API will return a 202 response. Use the Location header in the 202 response to check on the status of the compliance violations evaluation. Once evaluation is complete, you can fetch these latest results by repeating the above ValidateSystemCompliance or ValidateStackCompliance API operation with the addition of the interval query parameter set to latest.