Compliance as Code. Secure by Design.
Reglet is a compliance and infrastructure validation engine that runs security checks in isolated WebAssembly sandboxes. Define policies as code, validate systems and services, and get standardized audit output ready for SOC2, ISO27001, and more.
# brew not available for pre-release
brew install reglet-dev/tap/reglet # macOS/Linux
# Install (choose one)
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha # Docker
curl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | sh # Script
# Get an example profile
curl -fsSL https://raw.githubusercontent.com/reglet-dev/reglet/main/docs/examples/01-quickstart.yaml > quickstart.yaml
# Run it
reglet check quickstart.yaml
# Or with Docker
docker run --rm -v $(pwd)/quickstart.yaml:/quickstart.yaml \
ghcr.io/reglet-dev/reglet:v0.2.0-alpha check /quickstart.yaml
# Run compliance checks
reglet check profile.yaml
# Preview execution plan (dry-run)
reglet plan profile.yaml
reglet plan profile.yaml --tree # Show execution flow diagram
reglet plan profile.yaml --details # Show observations and expectations
# Validate profile syntax (fast, no execution)
reglet validate profile.yaml
reglet validate profile.yaml --stats # Show profile statistics
reglet validate profile.yaml --skip-expects # Skip expect expression validation
# Output formats
reglet check profile.yaml --format=json
reglet check profile.yaml --format=sarif -o results.sarif
# Quiet mode for CI/scripts
reglet check profile.yaml --quiet
# Debug mode
reglet check profile.yaml --log-level=debug
# Filter controls
reglet check profile.yaml --tags security
reglet check profile.yaml --severity critical,high
# Plugin management (OCI registries)
reglet plugins pull ghcr.io/reglet-dev/plugins/aws:1.0.0
reglet plugins list
reglet plugins push my-plugin.wasm ghcr.io/myorg/my-plugin:1.0.0
reglet plugins prune --keep 3- Declarative Profiles - Define validation rules in simple, versioned YAML
- Parallel Execution - Optimized for CI/CD with concurrent execution of independent controls
- Loop Observations - Execute checks across multiple items with variable substitution (
loop: { items: "{{ .vars.files }}" }) - Standardized Output - JSON, YAML, JUnit, SARIF - ready for compliance platforms or OSCAL integration (coming soon)
- Secure Sandbox - All validation logic runs inside a CGO-free WebAssembly runtime (wazero)
- Capability-Based Security - Plugins can only access files, networks, or environment variables if explicitly allowed
- Secret Management - Resolve secrets from environment variables, files, or local config with
{{ secret "name" }}syntax - Automatic Redaction - Sensitive data (secrets, tokens) is automatically detected and redacted before reporting
- OCI Plugin Registry - Distribute and version plugins via OCI-compliant registries (GHCR, DockerHub, Harbor)
- Reproducible Builds - Lockfiles (
reglet.lock) pin exact plugin versions and digests for consistent execution
| Plugin | Use Case |
|---|---|
| file | Permissions, ownership, content patterns |
| command | Exit codes, output content |
| http | HTTP/HTTPS endpoints, response validation |
| dns | DNS records and resolution |
| tcp | Port connectivity, TLS certificates |
| smtp | Mail server connectivity |
See examples/ for working profiles.
Reglet uses capability-based security - plugins can only access what's explicitly granted:
- Automatic Discovery: Permissions are extracted from your profile (e.g.,
path: /etc/passwdgrants read to only that file) - No Broad Access: Unlike scripts with full host access, plugins are sandboxed
- Security Levels: Control how Reglet handles risky patterns:
strict- Deny broad capabilities automaticallystandard- Warn and prompt before granting (default)permissive- Auto-grant for trusted environments
# ~/.reglet/config.yaml
security:
level: standard # strict, standard, or permissiveSee docs/security.md for the full security architecture.
Reglet supports secure secret resolution via {{ secret "name" }} syntax in profiles:
# ~/.reglet/config.yaml
sensitive_data:
secrets:
# Environment variable mapping
env:
api_token: API_TOKEN # {{ secret "api_token" }} resolves from $API_TOKEN
db_password: DATABASE_PASS
# File-based secrets (admin-controlled paths)
files:
ssh_key: /etc/reglet/secrets/ssh.key
# Local secrets (development only - never commit!)
local:
dev_token: "local-dev-value"Secrets are automatically:
- Tracked and redacted from all output (evidence, logs, errors)
- Protected in memory with zeroing when possible
- Never logged in plaintext
Example usage in a profile:
controls:
items:
- id: api-health
name: API health check with authentication
observations:
- plugin: http
config:
url: https://api.example.com/health
headers:
Authorization: "Bearer {{ secret \"api_token\" }}"
expect: |
data.status_code == 200Reglet supports distributing plugins via OCI-compliant registries (GHCR, DockerHub, Harbor, etc.):
# Pull a plugin from a registry
reglet plugins pull ghcr.io/reglet-dev/plugins/aws:1.0.0
# List cached plugins
reglet plugins list
# Push your own plugin
reglet plugins push ./my-plugin.wasm ghcr.io/myorg/my-plugin:1.0.0
# Clean up old versions
reglet plugins prune --keep 3Plugins can be referenced in profiles by:
- Built-in name:
file,http,dns(embedded in binary) - Local path:
./plugins/custom.wasm - OCI reference:
ghcr.io/reglet-dev/plugins/aws:1.0.0
Generate a lockfile to pin exact plugin versions and digests:
# Generate lockfile
reglet check profile.yaml # Creates reglet.lock
# Verify plugins match lockfile
reglet check profile.yaml # Validates digestsThe lockfile (reglet.lock) ensures:
- Reproducible builds - Same plugin versions across environments
- Integrity verification - Cryptographic digest validation
- Supply chain security - Detect tampering or version drift
profile:
name: SSH Security
description: Check SSH configuration
version: 1.0.0
plugins:
- file
controls:
items:
- id: sshd-config
name: SSH password authentication disabled
observations:
- plugin: file
config:
path: /etc/ssh/sshd_config
expect: |
data.content.contains("PasswordAuthentication no")Note: pre-release is not available via Homebrew
brew install reglet-dev/tap/reglet
reglet version# Pull image
docker pull ghcr.io/reglet-dev/reglet:v0.2.0-alpha
# Quick version check
docker run --rm ghcr.io/reglet-dev/reglet:v0.2.0-alpha version
# Run with profile from host
docker run --rm -v $(pwd)/profile.yaml:/profile.yaml \
ghcr.io/reglet-dev/reglet:latest check /profile.yaml
# Try built-in examples
docker run --rm ghcr.io/reglet-dev/reglet:latest \
check /home/reglet/docs/examples/01-quickstart.yamlcurl -sSL https://raw.githubusercontent.com/reglet-dev/reglet/main/scripts/install.sh | shDownload the appropriate archive for your platform from the releases page, extract it, and move the binary to your PATH:
# Linux/macOS
tar -xzf reglet-*.tar.gz
sudo mv reglet /usr/local/bin/
reglet version
# Windows (PowerShell)
Expand-Archive reglet-*.zip
Move-Item reglet.exe C:\Windows\System32\
reglet versionRequires Go 1.25+:
git clone https://github.com/reglet-dev/reglet.git
cd reglet
make build
./bin/reglet check docs/examples/01-quickstart.yaml- 01-quickstart.yaml - Basic system security checks
- 02-ssh-hardening.yaml - SSH hardening (SOC2 CC6.1)
- 03-web-security.yaml - HTTP/HTTPS validation
- 04-dns-validation.yaml - DNS resolution and records
- 05-tcp-connectivity.yaml - TCP ports and TLS testing
- 06-command-checks.yaml - Command execution and output validation
- 07-vars-and-defaults.yaml - Variables and control defaults
- 99-comprehensive-showcase.yaml - Complete feature reference (all plugins, dependencies, retries)
Reglet is in active development. Core features work, but expect breaking changes before 1.0.
v0.2.0-alpha (Released)
- Core execution engine with parallel execution
- Plugins: File, HTTP, DNS, TCP, Command, SMTP
- Capability system with profile-based discovery
- Configurable security levels (strict/standard/permissive)
- Automatic secret redaction
- Output formatters (Table, JSON, YAML, JUnit, SARIF)
- Binary releases for Linux/macOS/Windows (amd64/arm64)
- Docker images (GHCR multi-arch)
- Homebrew tap
- Automated releases with goreleaser
v0.3.0-alpha (Released)
- Profile inheritance (
extends:field) - Retry and backoff for resilient execution
- Secret management (env/files/local resolution)
- Evidence artifacts and size limits (size, count)
- Global timeout
v0.3.5-alpha (Current)
- Lockfile for reproducible plugin versions (
reglet.lock) - OCI-based plugin registry (GHCR, DockerHub, Harbor)
- Plugin management commands (
pull,push,list,prune) - Hybrid plugin resolution (embedded → cache → registry)
- Digest verification for supply chain security
- Signature verification scaffolding (Cosign/Sigstore)
v0.4.0-alpha (Next - Developer Experience)
- Tag and severity filtering
-
reglet init(interactive wizard) -
reglet plan(dry-run validation) -
reglet validate(schema and syntax validation) -
--watchmode (live feedback on file changes) - Looping (
loop: [item1, item2]) - Plugin SDK (Go) Enhanced
v0.5.0-alpha (Infrastructure & IaC Plugins)
- AWS plugin
- GCP plugin
- Azure plugin
- Terraform plugin
- Kubernetes plugin
v0.6.0-alpha (GitHub Action & CI/CD)
- GitHub Action (validates all 3 pillars!)
- GitLab CI template
- OIDC authentication
- CLI vars (
--set key=value) - Remote profiles (
reglet check https://...)
v0.7.0-alpha (OSCAL & Evidence)
- OSCAL output (assessment results)
- Evidence collection and artifact management
- POA&M generation
v1.0 GA (Compliance Packs)
- Remote pack registry (reglet.io/packs)
- SOC2 pack
- ISO27001 pack
- CIS Linux pack
- Complete Cosign signature verification
We welcome contributions! Please see our Contributing Guide and Code of Conduct.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Apache-2.0 - See LICENSE