Verdict Quickstart
Write a policy, simulate decisions, evaluate a real plan, and wire into GitHub Actions.
Five steps from install to your first governance evaluation.
Step 1 — Install
pip install obsidianwall-verdict
verdict --version
Step 2 — Write a Policy
# policies/my_budget.yaml
apiVersion: obsidianwall.io/v1
kind: Policy
metadata:
name: team_budget
version: "0.1"
owner: your-team
spec:
inputs:
- estimated_cost
- current_spend
parameters:
budget:
amount: 500
period: monthly
conditions:
- id: budget_check
expression: "(current_spend + estimated_cost) <= budget.amount"
description: "Monthly spend must not exceed budget"
decision:
allow: ALLOW
deny: DENY_WITH_OVERRIDE
governance:
severity: medium
notifications:
- role: budget_owner
channel: email
override:
roles:
- budget_owner
requires_approval: false
Step 3 — Simulate Before You Have a Real Plan
Test the policy at different cost thresholds. No cloud credentials needed.
verdict simulate \
--policy policies/my_budget.yaml \
--set estimated_cost=200
✅ ALLOW
Technical Risk: 0/100
Governance Risk: medium
Reason: conditions passed
verdict simulate \
--policy policies/my_budget.yaml \
--set estimated_cost=800
🚫 DENY_WITH_OVERRIDE
Technical Risk: 0/100
Governance Risk: medium
Reason: conditions failed hard deny
Step 4 — Validate the Policy Schema
verdict validate --policy policies/my_budget.yaml
{
"status": "valid",
"name": "team_budget",
"version": "0.1",
"owner": "your-team"
}
Step 5 — Evaluate a Real Infrastructure Plan
Terraform:
terraform plan -out=tfplan
terraform show -json tfplan > terraform_plan.json
verdict evaluate \
--plan terraform_plan.json \
--policy policies/my_budget.yaml \
--role engineer
CloudFormation (format auto-detected):
verdict evaluate \
--plan template.yaml \
--policy policies/my_budget.yaml \
--role engineer
Example output:
policy team_budget
condition budget_check ✗ FAILED
expression (current_spend + estimated_cost) <= budget.amount
evaluated (0 + 800) <= 500 → false
risk score 75 / 100 (critical)
findings cost_analysis: 2
notified budget_owner (email)
decision DENY_WITH_OVERRIDE
override budget_owner may authorize
decision_id abc3a13b-83d5-4fad-87d8
✗ Deployment blocked by governance policy.
Exit code 0 = ALLOW. Non-zero = DENY. CI/CD pipelines respect this automatically.
Step 6 — Check Compliance Coverage
verdict coverage \
--policy policies/my_budget.yaml \
--framework hipaa
Available frameworks: hipaa, soc2, cis, nist_ai_rmf
Step 7 — Wire into GitHub Actions
name: Infrastructure Governance
on:
pull_request:
paths: ["**.tf", "**.tfvars", "infra/**.yaml"]
jobs:
governance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Terraform Plan
run: |
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > terraform_plan.json
- name: Governance Evaluation
uses: ObsidianWall/obsidianwall-verdict@v0.5.0
with:
plan: terraform_plan.json
policy: policies/my_budget.yaml
fail_on_deny: "true"
The Five Governance Decisions
| Decision | Meaning |
|---|---|
ALLOW |
All conditions passed. Deployment authorized. |
ALLOW_WITH_NOTIFICATION |
Conditions passed. Stakeholders notified. Deployment proceeds. |
ALLOW_WITH_APPROVAL_REQUIRED |
Conditions passed. Formal approval required before proceeding. |
DENY_WITH_OVERRIDE |
Conditions failed. An authorized role may override. |
DENY |
Conditions failed. No override path. Hard block. |