Getting Started with Mequal

1. Quickstart with a Container

The easiest way to get started with Mequal and evaluating SBOMs is to use a readily available container that encapsulates and evaluates the policies and is able to do an evaluation on any SBOM input provided.

We have a pre-release container always up-to-date with the latest policies we implement. Just run the command below on any SBOM you’d like (supports CycloneDX and SPDX formats) to test it out:

$ cat sbom.json | podman run -i --rm quay.io/pct-security/mequal:latest

As of right now, Mequal is just a set of SBOM manifest policies that are assessed using OPA from inside of a container, with future improvements related to our project goals coming soon!

2. Build and Run from Source Code

a. Build and Run Inside a Container (Recommended)

We can easily start editing the source code and maybe even adding some policies of our own without worrying about the tooling underneath.

$ git clone https://github.com/project-ncl/mequal.git
$ cd mequal
$ podman build -t mequal -f ./container_files/Containerfile .

We can then either run Mequal as a CLI tool like below:

$ cat input/good/sbom-example.json | podman run -i --rm mequal

Or we can run it as a server:

podman run -p 8181:8181 -i --platform=linux/amd64 mequal /bin/bash ./server-run.sh

And then be able to make REST requests to it to query evaluation results:

curl -X POST http://localhost:8181/v1/query -d '{ "query": "mequal=data.mequal.main;prodsec=data.prodsec.main" }" }' | jq

A playground is also available for testing out inputs and queries on the OPA server on http://localhost:8181

The ./container_files/cli-run.sh or ./container_files/server-run.sh script can be edited to decide what should be ran inside the container. It can do evaluations using the OPA binary within it, running unit tests, change evaluation parameters, etc.

b. Run Policy Evaluation Locally

By running the script below, we can immediately start running our policy evaluations locally:

$ bash ./hack/local-opa-run.sh

This script contains commands related to running policy evaluations or unit tests, and can be a reference for running policy evaluations. It can be used as a playground to test out different evaluation commands and parameters.

3. What are Policies? How do I Write Them?

For more information on what policies are and how to write them, please visit the Writing & Testing Policies section.

4. What Policies are Included in Mequal?

For more information on what policies come included with Mequal, please visit the Mequal Policies section.