CI and Testing

You should think about your Oso policy as application code, and manage it the same way you manage other code in a repository. We recommend checking your policy (your .polar file) into your repository to make it easy to review and test changes. This guide will show you how to use your CI infrastructure to validate, test, and ultimately deploy your policy to production, just like you would test and deploy other application code.


Install the oso-cloud command line tool

$ curl -L | bash

You will need an Oso Cloud API keys for both a test and a production environment. To create an environment, read the Environments guide.


There are two ways to test new Oso policies. You can test the policy itself using the assertions in the CLI, or you can run integration tests by running your application test suite using the new policy. Before you do either, you should set up a separate environment just for testing.

You can test the authorization logic directly (without running your application) using the oso-cloud CLI. In your CI process, enable the test environment by setting OSO_AUTH to your test environment's API key. Begin your test by clearing the environment completely:

export OSO_AUTH=my_test_environment_token
oso-cloud clear --confirm

Next, upload your policy and tell Oso any facts you want to test against:

oso-cloud policy policy.polar
oso-cloud tell has_role User:steve reader Widget:foo

Then, run authorize and other queries to check that they return what you think they should.

oso-cloud authorize --fail-on-deny User:steve read Widget:foo


Using --fail-on-deny means that oso-cloud authorize will exit with a non-zero exit code, which is useful for CI. To enable this by default in a CI run, set the OSO_CLI_FAIL_ON_DENY environment variable to 1.

You can run application tests using a similar mechanism. Using your test environment's API key, clear out any old data, upload the new policy and seed your test data. Then, run your application test suite and make sure everything passes.


When your tests pass and you are ready to deploy your new policy to production you can set the OSO_AUTH variable to your production API key and upload it. This can be done as part of the same CI job that deploys the rest of your code.

export OSO_AUTH=my_production_environment_token
oso-cloud policy policy.polar

Multiple policies

When you have multiple teams collaborating on authorization, it can be helpful to split up a policy into multiple files.

You can then upload those policies with oso-cloud policy main.polar team1.polar team2.polar and so on. This oso-cloud binary concatenates together the policies before uploading them.

Talk to an Oso Engineer

If you need further assistance with testing, creating your environments or using them in your CI set up, schedule a 1x1 with an Oso engineer. We're happy to help.

Get started with Oso Cloud →