Skip to content

feat(si): Add --all flag to evaluate multiple policies in a directory #8234

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stack72 merged 1 commit into from
Jan 8, 2026
Merged

feat(si): Add --all flag to evaluate multiple policies in a directory #8234

stack72 merged 1 commit into from
Jan 8, 2026
+277 −84

Conversation

@stack72
Copy link
Contributor

@stack72 stack72 commented Jan 8, 2026

This PR adds support for evaluating all policy files in a directory with a single command using the new --all flag. When using --all, policy names are automatically derived from filenames, eliminating the need to manually specify names for each policy.

  • New --all Flag

    • Added --all flag to si policy evaluate command
    • When used with a directory path, evaluates all .md files in that directory
    • Policy name is automatically derived from filename (e.g., aws-tagging-policy.md → aws-tagging-policy)
    • Each policy evaluation continues independently - if one fails, others still process

  • Updated --name Parameter

    • --name is now optional when using --all flag
    • Still required for single file evaluation
    • Used as the policy identifier in the uploaded report

Comprehensive validation with clear error messages for all scenarios:

# Directory without --all
si policy evaluate policies/
# Error: "The path 'policies/' is a directory. Please use the --all flag..."

# File with --all but no name
si policy evaluate policy.md --all
# Error: "When evaluating a single file, the --name option is required..."

# Non-existent path
si policy evaluate invalid/
# Error: "Path does not exist: invalid/"

# Empty directory with --all
si policy evaluate empty-dir/ --all
# Error: "No policy files (.md) found in directory: empty-dir/"

Code Quality Improvements

  • Refactored evaluateSinglePolicy into smaller, focused functions:
  • createOutputPaths() - Handles output directory setup
  • uploadPolicyResults() - Encapsulates upload logic
  • displayEvaluationSummary() - Handles result display
  • evaluateSinglePolicy() - Now focuses on orchestration
  • Fixed logging consistency - replaced console.log with ctx.logger
  • Removed \n prefixes in log messages that caused formatting issues

Usage

  • Single file (existing behavior)
si policy evaluate policy.md --name "AWS Tagging Policy"
  • All files in directory (new)
si policy evaluate policies/ --all
  • With additional options
si policy evaluate policies/ --all --change-set my-changeset --output-folder results/

Example Output

$ si policy evaluate policies/ --all

✨ info    si Found 3 policy file(s) to evaluate
✨ info    si === Evaluating policy: aws-tagging-policy ===
✨ info    si Starting policy evaluation for: policies/aws-tagging-policy.md
...
✨ info    si Policy Evaluation Complete
✨ info    si Result: PASS
✨ info    si === Evaluating policy: security-groups-policy ===
...
✨ info    si === Completed evaluating all policies ===

@github-actions
Copy link

github-actions bot commented Jan 8, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions bot added the A-si label Jan 8, 2026
@stack72
feat(si): Add --all flag to evaluate multiple policies in a directory
980ab1d 
This PR adds support for evaluating all policy files in a directory with a single command using the new --all flag. When using --all, policy names are automatically derived from filenames, eliminating the need to manually specify names for each policy.

* New --all Flag
  - Added --all flag to si policy evaluate command
  - When used with a directory path, evaluates all .md files in that directory
  - Policy name is automatically derived from filename (e.g., aws-tagging-policy.md → aws-tagging-policy)
  - Each policy evaluation continues independently - if one fails, others still process

* Updated --name Parameter
  - --name is now optional when using --all flag
  - Still required for single file evaluation
  - Used as the policy identifier in the uploaded report

#### Comprehensive validation with clear error messages for all scenarios:

```
# Directory without --all
si policy evaluate policies/
# Error: "The path 'policies/' is a directory. Please use the --all flag..."

# File with --all but no name
si policy evaluate policy.md --all
# Error: "When evaluating a single file, the --name option is required..."

# Non-existent path
si policy evaluate invalid/
# Error: "Path does not exist: invalid/"

# Empty directory with --all
si policy evaluate empty-dir/ --all
# Error: "No policy files (.md) found in directory: empty-dir/"
```

#### Code Quality Improvements

- Refactored evaluateSinglePolicy into smaller, focused functions:
- createOutputPaths() - Handles output directory setup
- uploadPolicyResults() - Encapsulates upload logic
- displayEvaluationSummary() - Handles result display
- evaluateSinglePolicy() - Now focuses on orchestration
- Fixed logging consistency - replaced console.log with ctx.logger
- Removed \n prefixes in log messages that caused formatting issues


#### Usage

* Single file (existing behavior)
```
si policy evaluate policy.md --name "AWS Tagging Policy"
```

* All files in directory (new)
```
si policy evaluate policies/ --all
```

* With additional options
```
si policy evaluate policies/ --all --change-set my-changeset --output-folder results/
```

#### Example Output
```
$ si policy evaluate policies/ --all

✨ info    si Found 3 policy file(s) to evaluate
✨ info    si === Evaluating policy: aws-tagging-policy ===
✨ info    si Starting policy evaluation for: policies/aws-tagging-policy.md
...
✨ info    si Policy Evaluation Complete
✨ info    si Result: PASS
✨ info    si === Evaluating policy: security-groups-policy ===
...
✨ info    si === Completed evaluating all policies ===
```
@stack72 stack72 force-pushed the add-ability-to-run-multiple-policies branch from bbfc33c to 980ab1d Compare January 8, 2026 23:29
@github-actions github-actions bot added the A-docs Area: Project documentation label Jan 8, 2026
@stack72 stack72 added this pull request to the merge queue Jan 8, 2026
Merged via the queue into main with commit 020511f Jan 8, 2026
9 checks passed
@stack72 stack72 deleted the add-ability-to-run-multiple-policies branch January 8, 2026 23:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jobelenus jobelenus jobelenus approved these changes

@nickgerace nickgerace Awaiting requested review from nickgerace

Assignees

No one assigned

Labels

A-docs Area: Project documentation A-si

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stack72 @jobelenus