Skip to main content

Rego Built-ins

Rego supports a wide range of built-in functions for different policy use cases. Built-ins available in this version of OPA are listed below.

Wasm Only
CategoryNameMeta
aggregatescount
n := count(collection)
Wasm
aggregatesmax
n := max(collection)
Wasm
aggregatesmin
n := min(collection)
Wasm
aggregatesproduct
n := product(collection)
Wasm
aggregatessort
n := sort(collection)
Wasm
aggregatessum
n := sum(collection)
Wasm
arrayarray.concat
z := array.concat(x, y)
Wasm
arrayarray.reverse
rev := array.reverse(arr)
v0.36.0 Wasm
arrayarray.slice
slice := array.slice(arr, start, stop)
Wasm
bitsbits.and
z := bits.and(x, y)
v0.18.0 Wasm
bitsbits.lsh
z := bits.lsh(x, s)
v0.18.0 Wasm
bitsbits.negate
z := bits.negate(x)
v0.18.0 Wasm
bitsbits.or
z := bits.or(x, y)
v0.18.0 Wasm
bitsbits.rsh
z := bits.rsh(x, s)
v0.18.0 Wasm
bitsbits.xor
z := bits.xor(x, y)
v0.18.0 Wasm
comparisonequal
x == y
Wasm
comparisongt
x > y
Wasm
comparisongte
x >= y
Wasm
comparisonlt
x < y
Wasm
comparisonlte
x <= y
Wasm
comparisonneq
x != y
Wasm
conversionsto_number
num := to_number(x)
Wasm
cryptocrypto.hmac.equal
result := crypto.hmac.equal(mac1, mac2)
v0.52.0 SDK-dependent
cryptocrypto.hmac.md5
y := crypto.hmac.md5(x, key)
v0.36.0 SDK-dependent
cryptocrypto.hmac.sha1
y := crypto.hmac.sha1(x, key)
v0.36.0 SDK-dependent
cryptocrypto.hmac.sha256
y := crypto.hmac.sha256(x, key)
v0.36.0 SDK-dependent
cryptocrypto.hmac.sha512
y := crypto.hmac.sha512(x, key)
v0.36.0 SDK-dependent
cryptocrypto.md5
y := crypto.md5(x)
SDK-dependent
cryptocrypto.parse_private_keys
output := crypto.parse_private_keys(keys)
v0.55.0 SDK-dependent
cryptocrypto.sha1
y := crypto.sha1(x)
SDK-dependent
cryptocrypto.sha256
y := crypto.sha256(x)
SDK-dependent
cryptocrypto.x509.parse_and_verify_certificates
output := crypto.x509.parse_and_verify_certificates(certs)
v0.31.0 SDK-dependent
cryptocrypto.x509.parse_and_verify_certificates_with_options
output := crypto.x509.parse_and_verify_certificates_with_options(certs, options)
v0.63.0 SDK-dependent
cryptocrypto.x509.parse_certificate_request
output := crypto.x509.parse_certificate_request(csr)
v0.21.0 SDK-dependent
cryptocrypto.x509.parse_certificates
output := crypto.x509.parse_certificates(certs)
SDK-dependent
cryptocrypto.x509.parse_keypair
output := crypto.x509.parse_keypair(cert, pem)
v0.53.0 SDK-dependent
cryptocrypto.x509.parse_rsa_private_key
output := crypto.x509.parse_rsa_private_key(pem)
v0.33.0 SDK-dependent
encodingbase64.decode
y := base64.decode(x)
Wasm
encodingbase64.encode
y := base64.encode(x)
Wasm
encodingbase64.is_valid
result := base64.is_valid(x)
v0.24.0 Wasm
encodingbase64url.decode
y := base64url.decode(x)
Wasm
encodingbase64url.encode
y := base64url.encode(x)
Wasm
encodingbase64url.encode_no_pad
y := base64url.encode_no_pad(x)
v0.25.0-rc2 SDK-dependent
encodinghex.decode
y := hex.decode(x)
v0.25.0-rc2 SDK-dependent
encodinghex.encode
y := hex.encode(x)
v0.25.0-rc2 SDK-dependent
encodingjson.is_valid
result := json.is_valid(x)
encodingjson.marshal
y := json.marshal(x)
Wasm
encodingjson.marshal_with_options
y := json.marshal_with_options(x, opts)
v0.64.0 SDK-dependent
encodingjson.unmarshal
y := json.unmarshal(x)
Wasm
encodingurlquery.decode
y := urlquery.decode(x)
SDK-dependent
encodingurlquery.decode_object
object := urlquery.decode_object(x)
v0.24.0 SDK-dependent
encodingurlquery.encode
y := urlquery.encode(x)
SDK-dependent
encodingurlquery.encode_object
y := urlquery.encode_object(object)
SDK-dependent
encodingyaml.is_valid
result := yaml.is_valid(x)
v0.25.0-rc1 SDK-dependent
encodingyaml.marshal
y := yaml.marshal(x)
SDK-dependent
encodingyaml.unmarshal
y := yaml.unmarshal(x)
SDK-dependent
globglob.match
result := glob.match(pattern, delimiters, match)
Wasm
globglob.quote_meta
output := glob.quote_meta(pattern)
SDK-dependent
graphgraph.reachable
output := graph.reachable(graph, initial)
v0.20.0 Wasm
graphgraph.reachable_paths
output := graph.reachable_paths(graph, initial)
v0.37.0 SDK-dependent
graphwalk
walk(x, output)
Wasm
graphqlgraphql.is_valid
output := graphql.is_valid(query, schema)
v0.41.0 SDK-dependent
graphqlgraphql.parse
output := graphql.parse(query, schema)
v0.41.0 SDK-dependent
graphqlgraphql.parse_and_verify
output := graphql.parse_and_verify(query, schema)
v0.41.0 SDK-dependent
graphqlgraphql.parse_query
output := graphql.parse_query(query)
v0.41.0 SDK-dependent
graphqlgraphql.parse_schema
output := graphql.parse_schema(schema)
v0.41.0 SDK-dependent
graphqlgraphql.schema_is_valid
output := graphql.schema_is_valid(schema)
v0.46.0 SDK-dependent
httphttp.send
response := http.send(request)
SDK-dependent
netnet.cidr_contains
result := net.cidr_contains(cidr, cidr_or_ip)
Wasm
netnet.cidr_contains_matches
output := net.cidr_contains_matches(cidrs, cidrs_or_ips)
v0.19.0-rc1 SDK-dependent
netnet.cidr_expand
hosts := net.cidr_expand(cidr)
SDK-dependent
netnet.cidr_intersects
result := net.cidr_intersects(cidr1, cidr2)
Wasm
netnet.cidr_is_valid
result := net.cidr_is_valid(cidr)
v0.46.0 SDK-dependent
netnet.cidr_merge
output := net.cidr_merge(addrs)
v0.24.0 SDK-dependent
netnet.lookup_ip_addr
addrs := net.lookup_ip_addr(name)
v0.35.0 SDK-dependent
numbersabs
y := abs(x)
Wasm
numbersceil
y := ceil(x)
v0.26.0 Wasm
numbersdiv
x / y
Wasm
numbersfloor
y := floor(x)
v0.26.0 Wasm
numbersminus
x - y
Wasm
numbersmul
x * y
Wasm
numbersnumbers.range
range := numbers.range(a, b)
v0.22.0 Wasm
numbersnumbers.range_step
range := numbers.range_step(a, b, step)
v0.56.0 SDK-dependent
numbersplus
x + y
Wasm
numbersrand.intn
y := rand.intn(str, n)
v0.31.0 SDK-dependent
numbersrem
x % y
Wasm
numbersround
y := round(x)
Wasm
objectjson.filter
filtered := json.filter(object, paths)
Wasm
objectjson.match_schema
output := json.match_schema(document, schema)
v0.50.0 SDK-dependent
objectjson.patch
output := json.patch(object, patches)
v0.25.0 SDK-dependent
objectjson.remove
output := json.remove(object, paths)
v0.18.0 Wasm
objectjson.verify_schema
output := json.verify_schema(schema)
v0.50.0 SDK-dependent
objectobject.filter
filtered := object.filter(object, keys)
v0.17.2 Wasm
objectobject.get
value := object.get(object, key, default)
Wasm
objectobject.keys
value := object.keys(object)
v0.47.0 Wasm
objectobject.remove
output := object.remove(object, keys)
v0.17.2 Wasm
objectobject.subset
result := object.subset(super, sub)
v0.42.0 SDK-dependent
objectobject.union
output := object.union(a, b)
v0.17.2 Wasm
objectobject.union_n
output := object.union_n(objects)
v0.37.0 Wasm
opaopa.runtime
output := opa.runtime()
SDK-dependent
providers.awsproviders.aws.sign_req
signed_request := providers.aws.sign_req(request, aws_config, time_ns)
v0.47.0 SDK-dependent
regexregex.find_all_string_submatch_n
output := regex.find_all_string_submatch_n(pattern, value, number)
Wasm
regexregex.find_n
output := regex.find_n(pattern, value, number)
SDK-dependent
regexregex.globs_match
result := regex.globs_match(glob1, glob2)
SDK-dependent
regexregex.is_valid
result := regex.is_valid(pattern)
v0.23.0 Wasm
regexregex.match
result := regex.match(pattern, value)
v0.23.0 Wasm
regexregex.replace
output := regex.replace(s, pattern, value)
v0.45.0 SDK-dependent
regexregex.split
output := regex.split(pattern, value)
SDK-dependent
regexregex.template_match
result := regex.template_match(template, value, delimiter_start, delimiter_end)
SDK-dependent
regorego.metadata.chain
chain := rego.metadata.chain()
v0.40.0 SDK-dependent
regorego.metadata.rule
output := rego.metadata.rule()
v0.40.0 SDK-dependent
regorego.parse_module
output := rego.parse_module(filename, rego)
SDK-dependent
semversemver.compare
result := semver.compare(a, b)
v0.22.0 SDK-dependent
semversemver.is_valid
result := semver.is_valid(vsn)
v0.22.0 SDK-dependent
setsand
x & y
Wasm
setsintersection
y := intersection(xs)
Wasm
setsminus
x - y
Wasm
setsor
x | y
Wasm
setsunion
y := union(xs)
Wasm
stringsconcat
output := concat(delimiter, collection)
Wasm
stringscontains
result := contains(haystack, needle)
Wasm
stringsendswith
result := endswith(search, base)
Wasm
stringsformat_int
output := format_int(number, base)
Wasm
stringsindexof
output := indexof(haystack, needle)
Wasm
stringsindexof_n
output := indexof_n(haystack, needle)
v0.37.0 SDK-dependent
stringslower
y := lower(x)
Wasm
stringsreplace
y := replace(x, old, new)
Wasm
stringssplit
ys := split(x, delimiter)
Wasm
stringssprintf
output := sprintf(format, values)
SDK-dependent
stringsstartswith
result := startswith(search, base)
Wasm
stringsstrings.any_prefix_match
result := strings.any_prefix_match(search, base)
v0.44.0 SDK-dependent
stringsstrings.any_suffix_match
result := strings.any_suffix_match(search, base)
v0.44.0 SDK-dependent
stringsstrings.count
output := strings.count(search, substring)
v0.67.0 SDK-dependent
stringsstrings.render_template
result := strings.render_template(value, vars)
v0.59.0 SDK-dependent
stringsstrings.replace_n
output := strings.replace_n(patterns, value)
Wasm
stringsstrings.reverse
y := strings.reverse(x)
v0.36.0 Wasm
stringssubstring
output := substring(value, offset, length)
Wasm
stringstrim
output := trim(value, cutset)
Wasm
stringstrim_left
output := trim_left(value, cutset)
Wasm
stringstrim_prefix
output := trim_prefix(value, prefix)
Wasm
stringstrim_right
output := trim_right(value, cutset)
Wasm
stringstrim_space
output := trim_space(value)
Wasm
stringstrim_suffix
output := trim_suffix(value, suffix)
Wasm
stringsupper
y := upper(x)
Wasm
timetime.add_date
output := time.add_date(ns, years, months, days)
v0.19.0 SDK-dependent
timetime.clock
output := time.clock(x)
SDK-dependent
timetime.date
date := time.date(x)
SDK-dependent
timetime.diff
output := time.diff(ns1, ns2)
v0.28.0 SDK-dependent
timetime.format
formatted timestamp := time.format(x)
v0.48.0 SDK-dependent
timetime.now_ns
now := time.now_ns()
SDK-dependent
timetime.parse_duration_ns
ns := time.parse_duration_ns(duration)
SDK-dependent
timetime.parse_ns
ns := time.parse_ns(layout, value)
SDK-dependent
timetime.parse_rfc3339_ns
ns := time.parse_rfc3339_ns(value)
SDK-dependent
timetime.weekday
day := time.weekday(x)
SDK-dependent
tokensio.jwt.decode
output := io.jwt.decode(jwt)
SDK-dependent
tokensio.jwt.decode_verify
output := io.jwt.decode_verify(jwt, constraints)
SDK-dependent
tokensio.jwt.verify_es256
result := io.jwt.verify_es256(jwt, certificate)
SDK-dependent
tokensio.jwt.verify_es384
result := io.jwt.verify_es384(jwt, certificate)
v0.20.0 SDK-dependent
tokensio.jwt.verify_es512
result := io.jwt.verify_es512(jwt, certificate)
v0.20.0 SDK-dependent
tokensio.jwt.verify_hs256
result := io.jwt.verify_hs256(jwt, secret)
SDK-dependent
tokensio.jwt.verify_hs384
result := io.jwt.verify_hs384(jwt, secret)
v0.20.0 SDK-dependent
tokensio.jwt.verify_hs512
result := io.jwt.verify_hs512(jwt, secret)
v0.20.0 SDK-dependent
tokensio.jwt.verify_ps256
result := io.jwt.verify_ps256(jwt, certificate)
SDK-dependent
tokensio.jwt.verify_ps384
result := io.jwt.verify_ps384(jwt, certificate)
v0.20.0 SDK-dependent
tokensio.jwt.verify_ps512
result := io.jwt.verify_ps512(jwt, certificate)
v0.20.0 SDK-dependent
tokensio.jwt.verify_rs256
result := io.jwt.verify_rs256(jwt, certificate)
SDK-dependent
tokensio.jwt.verify_rs384
result := io.jwt.verify_rs384(jwt, certificate)
v0.20.0 SDK-dependent
tokensio.jwt.verify_rs512
result := io.jwt.verify_rs512(jwt, certificate)
v0.20.0 SDK-dependent
tokensignio.jwt.encode_sign
output := io.jwt.encode_sign(headers, payload, key)
SDK-dependent
tokensignio.jwt.encode_sign_raw
output := io.jwt.encode_sign_raw(headers, payload, key)
SDK-dependent
tracingtrace
result := trace(note)
SDK-dependent
typesis_array
result := is_array(x)
Wasm
typesis_boolean
result := is_boolean(x)
Wasm
typesis_null
result := is_null(x)
Wasm
typesis_number
result := is_number(x)
Wasm
typesis_object
result := is_object(x)
Wasm
typesis_set
result := is_set(x)
Wasm
typesis_string
result := is_string(x)
Wasm
typestype_name
type := type_name(x)
Wasm
unitsunits.parse
y := units.parse(x)
v0.41.0 SDK-dependent
unitsunits.parse_bytes
y := units.parse_bytes(x)
SDK-dependent
uuiduuid.parse
result := uuid.parse(uuid)
v0.57.0 SDK-dependent
uuiduuid.rfc4122
output := uuid.rfc4122(k)
v0.20.0 SDK-dependent