Verdict Quickstart

Write a policy, simulate decisions, evaluate a real plan, and wire into GitHub Actions.

Five steps from install to your first governance evaluation.

Step 1 — Install

pip install obsidianwall-verdict
verdict --version

Step 2 — Write a Policy

# policies/my_budget.yaml
apiVersion: obsidianwall.io/v1
kind: Policy

metadata:
  name: team_budget
  version: "0.1"
  owner: your-team

spec:
  inputs:
    - estimated_cost
    - current_spend

  parameters:
    budget:
      amount: 500
      period: monthly

  conditions:
    - id: budget_check
      expression: "(current_spend + estimated_cost) <= budget.amount"
      description: "Monthly spend must not exceed budget"

  decision:
    allow: ALLOW
    deny:  DENY_WITH_OVERRIDE

  governance:
    severity: medium
    notifications:
      - role: budget_owner
        channel: email

  override:
    roles:
      - budget_owner
    requires_approval: false

Step 3 — Simulate Before You Have a Real Plan

Test the policy at different cost thresholds. No cloud credentials needed.

verdict simulate \
  --policy policies/my_budget.yaml \
  --set estimated_cost=200
  ✅  ALLOW

  Technical Risk:    0/100
  Governance Risk:   medium
  Reason:            conditions passed
verdict simulate \
  --policy policies/my_budget.yaml \
  --set estimated_cost=800
  🚫  DENY_WITH_OVERRIDE

  Technical Risk:    0/100
  Governance Risk:   medium
  Reason:            conditions failed hard deny

Step 4 — Validate the Policy Schema

verdict validate --policy policies/my_budget.yaml
{
  "status": "valid",
  "name": "team_budget",
  "version": "0.1",
  "owner": "your-team"
}

Step 5 — Evaluate a Real Infrastructure Plan

Terraform:

terraform plan -out=tfplan
terraform show -json tfplan > terraform_plan.json

verdict evaluate \
  --plan   terraform_plan.json \
  --policy policies/my_budget.yaml \
  --role   engineer

CloudFormation (format auto-detected):

verdict evaluate \
  --plan   template.yaml \
  --policy policies/my_budget.yaml \
  --role   engineer

Example output:

  policy          team_budget
  condition       budget_check  ✗ FAILED
  expression      (current_spend + estimated_cost) <= budget.amount
  evaluated       (0 + 800) <= 500  →  false

  risk score      75 / 100  (critical)
  findings        cost_analysis: 2
  notified        budget_owner (email)

  decision        DENY_WITH_OVERRIDE
  override        budget_owner may authorize
  decision_id     abc3a13b-83d5-4fad-87d8

✗ Deployment blocked by governance policy.

Exit code 0 = ALLOW. Non-zero = DENY. CI/CD pipelines respect this automatically.

Step 6 — Check Compliance Coverage

verdict coverage \
  --policy    policies/my_budget.yaml \
  --framework hipaa

Available frameworks: hipaa, soc2, cis, nist_ai_rmf

Step 7 — Wire into GitHub Actions

name: Infrastructure Governance

on:
  pull_request:
    paths: ["**.tf", "**.tfvars", "infra/**.yaml"]

jobs:
  governance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Terraform Plan
        run: |
          terraform init
          terraform plan -out=tfplan
          terraform show -json tfplan > terraform_plan.json

      - name: Governance Evaluation
        uses: ObsidianWall/obsidianwall-verdict@v0.5.0
        with:
          plan:         terraform_plan.json
          policy:       policies/my_budget.yaml
          fail_on_deny: "true"

The Five Governance Decisions

Decision Meaning
ALLOW All conditions passed. Deployment authorized.
ALLOW_WITH_NOTIFICATION Conditions passed. Stakeholders notified. Deployment proceeds.
ALLOW_WITH_APPROVAL_REQUIRED Conditions passed. Formal approval required before proceeding.
DENY_WITH_OVERRIDE Conditions failed. An authorized role may override.
DENY Conditions failed. No override path. Hard block.

Installation Guide