Sentinel v0.13.0 - http import, and policy parameters!

Greetings everyone!

We are happy to announce the release of version 0.13.0 of the Sentinel runtime.

For the most recent changes, see the release notes:

To download the latest version of the Sentinel CLI, see the downloads page:

This update includes two new key features that continue to drive our mission of policy extensibility - the http import, and policy parameters.

The http Import

The first of these two changes is the new http import, which allows policy authors to fetch data from external HTTP endpoints.

As Sentinel grows, HashiCorp continues to work to ensure that the imports supplied by various integrations presents as much data as possible for a policy author to make decisions on whether or not to allow a certain operation. However, there will always be sources that we cannot account for, or applications which are ultimately inappropriate or impossible for us to represent as imports, such as internal services.

The http import allows you to work with these endpoints, fetching arbitrary data which can then be further processed to access the contents.

As an example, say you have an arbitrary endpoint with a JSON document of:

  "fourty_two": 42

You could use the http and json imports to process this data:

import "http"
import "json"

main = rule {
	).fourty_two is 42

For a niftier and fully-functional example, you can see Chris Arcand’s hazardous asteroids policy! This is a policy, fully usable within the Sentinel CLI, that uses real data from NASA to demonstrate the import in action.

For the full details, check the http import documentation page.

Policy Parameters

The second major feature in this release is the introduction of policy parameters. This is a new language feature that allows you to, within a policy, specify values that are expected to be provided by the policy at runtime, allowing parameterization of values such as endpoint addresses, credentials, or anything else necessary to generalize a policy to help facilitate security and re-use.

Chris’ hazardous asteroids policy demonstrates the use of a parameter in that the policy specifies the required parameter api_token:

param api_token

Parameters can also have defaults and descriptions, and will be supplied in any number of ways depending on your implementation. See the parameters page in the documentation for details on these topics, including details on how parameters are supplied through the Sentinel CLI.

What is the Sentinel Runtime?

The runtime represents the Sentinel language engine and is the technology that is integrated into the enterprise versions of our open source products such as Terraform, Vault, Consul, and Nomad. Updates to the runtime may fix bugs or add features that are generally associated with the language itself and the standard library.

Functionality specifically associated with one product (example: Terraform Cloud and Enterprise’s Terraform-related imports) are updated on a separate schedule and are generally tracked within that product’s release notes.

Watch that product’s release notes as well for when they update the runtime - each product tracks the runtime on different schedules.

What is the Sentinel CLI?

The Sentinel CLI is a command-line interface for developing and testing policies. Having a standard workflow to develop policies is critical for our mission of policy as code. The CLI allows full use of the Sentinel engine, standard library, and supplied mock data to effectively test policies before they are added to a product that integrates Sentinel.

We ship an up-to-date version of the Sentinel CLI for every release of the runtime. To use the newest changes, download the simulator at the downloads page referenced at the start of this message.

Thanks, and we hope you enjoy the release!


Sentinel 0.13.1 has been released! This release addresses a particular issue with mocking.


  • runtime/eval: Parameters are no longer allowed in mock files. Adding one to a mock will result in a runtime error.
  • runtime/eval: Fixed an issue where import calls from within mocks were failing under certain circumstances.
  • imports/decimal: int should now correctly provide the truncated integer representation of a decimal number, not the rounded one.

Again, you can find the full release notes at