Policy Customization - Getting Started
Customize containerization policies using the priority-ordered policy system.
Quick Start
- Create a directory for your policies and add a
.regofile:
mkdir -p ~/.config/containerization-assist/policies- Save a policy file to that directory, e.g.
~/.config/containerization-assist/policies/require-mcr-images.rego:
# Rego policy: block Dockerfiles that use base images outside mcr.microsoft.com
package containerization.require_mcr
# Extract all FROM lines from the Dockerfile
from_lines := [line |
line := split(input.content, "\n")[_]
startswith(trim_space(line), "FROM ")
]
# Flag each FROM line that does not reference mcr.microsoft.com
violations contains result if {
some line in from_lines
not contains(line, "mcr.microsoft.com/")
result := {
"rule": "require-mcr-images",
"category": "security",
"priority": 95,
"severity": "block",
"message": sprintf("Base image must come from mcr.microsoft.com: %s", [trim_space(line)]),
}
}
default allow := false
allow if count(violations) == 0
result := { "allow": allow, "violations": violations }- Point the server to your policies directory in
.vscode/mcp.json:
{
"servers": {
"containerization-assist": {
"env": {
"CUSTOM_POLICY_PATH": "${env:HOME}/.config/containerization-assist/policies"
}
}
}
}- Restart your MCP client to pick up the new policy.
Policy Priority
Policies are discovered and merged from three locations in priority order:
- Built-in policies/ (lowest priority) - Base security and quality rules
- policies.user/ (middle priority) - Repository-specific customizations
CUSTOM_POLICY_PATHenvironment variable (highest priority) - Organization-wide policies
Later policies override earlier policies by package namespace.
Common Use Cases
Allow All Container Registries
Override built-in MCR preference to allow Docker Hub, GCR, ECR, etc.
cp policies.user.examples/allow-all-registries.rego policies.user/
# Restart MCP clientAdvisory-Only Mode
Convert all blocking violations to warnings for testing or development.
cp policies.user.examples/warn-only-mode.rego policies.user/
# Restart MCP clientOrganization-Specific Rules
Create custom policies for your organization's requirements.
cp policies.user.examples/custom-organization-template.rego policies.user/my-org-policy.rego
# Edit my-org-policy.rego to customize
# Restart MCP clientTesting Your Policies
1. List Discovered Policies
# List all discovered policies
npx containerization-assist-mcp list-policies
# Show merged policy result
npx containerization-assist-mcp list-policies --show-merged2. Check Discovery Logs
npx containerization-assist-mcp start --log-level debug 2>&1 | grep -i policyLook for:
Discovered built-in policies: 3 files
Discovered user policies from policies.user/: 1 files3. Test with Dockerfile Validation
echo 'FROM node:latest\nUSER root' > test.Dockerfile
# Use fix-dockerfile tool via your MCP clientTroubleshooting
Q: My custom policy isn't loading
Check file extension (must be .rego):
ls -la policies.user/
# ✅ my-policy.rego
# ❌ my-policy.rego.txt or my-policy.yamlCheck discovery logs:
npx containerization-assist-mcp list-policiesQ: Built-in policies still blocking
Custom policies override by package namespace. See policies.user.examples/allow-all-registries.rego for examples of how to override built-in rules.
Q: Changes not taking effect
Restart your MCP client (VS Code, Claude Desktop, etc.) after modifying policies.
Q: Syntax error in my policy
Validate policy syntax:
opa check policies.user/my-policy.rego
opa test policies.user/Reverting to Built-In Policies
# Remove user policies
rm -rf policies.user/
# Remove environment variable from .vscode/mcp.json
# Restart MCP client