Problem Statement
Declarative content and plugin binaries ship through independent paths, forcing the consumer to manage both.
Proposal
Create WASM-based plugins and bundle plugins with their policy-as-code content in a new OCI artifact type, a complypack, so complyctl get delivers both content and plugin in one pull.
Success Criteria
• A single complyctl get fetches a complypack and makes both content and plugin available
• gRPC providers that requirement full systems access for scanning continue to work unchanged alongside WASM-based providers
• Plugin authors still write in Go, compile with TinyGo, and implement the same Describe/Generate/Scan interface
Added Benefit
- API-based plugins run sandboxed with no filesystem, subprocess, or raw socket access
Next Steps
Problem Statement
Declarative content and plugin binaries ship through independent paths, forcing the consumer to manage both.
Proposal
Create WASM-based plugins and bundle plugins with their
policy-as-codecontent in a new OCI artifact type, a complypack, socomplyctlget delivers both content and plugin in one pull.Success Criteria
• A single
complyctlget fetches a complypack and makes both content and plugin available• gRPC providers that requirement full systems access for scanning continue to work unchanged alongside WASM-based providers
• Plugin authors still write in Go, compile with TinyGo, and implement the same Describe/Generate/Scan interface
Added Benefit
Next Steps
complypackOCI media types and artifact structurecomplyctlget to detect and extractcomplypackscomplyctldoctor withcomplypackintegrity checks and privilege visibility