ARPaCCino: An Agentic-RAG for Policy as Code Compliance
Francesco Romeo, Luigi Arena, Francesco Blefari, Francesco Aurelio Pironti, Matteo Lupinacci, Angelo Furfaro
TL;DR
ARPaCCino is an innovative system that leverages Large Language Models, Retrieval-Augmented-Generation, and tool-based validation to automate and improve Policy as Code compliance in Infrastructure as Code environments, addressing complexity and misconfiguration issues.
Contribution
It introduces a modular agentic architecture combining LLMs, RAG, and validation tools for automated policy generation and verification across diverse IaC frameworks.
Findings
Effectively generates correct Rego policies from natural language.
Identifies non-compliance in IaC configurations.
Successfully applies corrections even with smaller LLMs.
Abstract
Policy as Code (PaC) is a paradigm that encodes security and compliance policies into machine-readable formats, enabling automated enforcement in Infrastructure as Code (IaC) environments. However, its adoption is hindered by the complexity of policy languages and the risk of misconfigurations. In this work, we present ARPaCCino, an agentic system that combines Large Language Models (LLMs), Retrieval-Augmented-Generation (RAG), and tool-based validation to automate the generation and verification of PaC rules. Given natural language descriptions of the desired policies, ARPaCCino generates formal Rego rules, assesses IaC compliance, and iteratively refines the IaC configurations to ensure conformance. Thanks to its modular agentic architecture and integration with external tools and knowledge bases, ARPaCCino supports policy validation across a wide range of technologies, including…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.