Skip to main content

Access pass-fail validation outcome for a specific rule

To check the pass/fail status of a specific access policy or critical flow rule after running invariant run, examine the relevant _ok or _violations report files using invariant show --json.

Use a tool like jq to filter the JSON output and check the ok field for your rule.

# Check if a *specific* access policy rule within 'datacenter-security-policy' passed
# Looks for the rule based on its comment containing "VLAN30"
$ invariant show policy_ok --json | jq '.[] | select(.policy.name == "datacenter-security-policy" and (.rule.comment // "") | contains("VLAN30")) | .ok'
true
# Check if a *specific* access policy rule within 'datacenter-security-policy' violated
# Looks for the rule based on its comment containing "VLAN40"
$ invariant show policy_violations --json | jq '.[] | select(.policy.name == "datacenter-security-policy" and (.rule.comment // "") | contains("VLAN40")) | .ok'
false
  • Check the policy_ok or critical_flows_ok reports. If your rule is present and ok is true, it passed.
  • Check the policy_violations or critical_flows_violations reports. If your rule is present and ok is false, it failed.
  • If the rule is not found in either the _ok or _violations report for its type, it may have been skipped due to errors (check policy_skipped or critical_flows_skipped).

See Access Policy Output Files for more details on report files.