ARPaCCino: An Agentic-RAG for Policy as Code Compliance
This work addresses the problem of automating security and compliance policies for infrastructure engineers, though it appears incremental as it builds on existing LLM and RAG techniques.
The paper tackles the complexity and misconfiguration risks in Policy as Code (PaC) adoption by introducing ARPaCCino, an agentic system that automates the generation and verification of PaC rules using LLMs and RAG, achieving effective generation of correct policies and identification of non-compliant infrastructures in a Terraform case study.
Policy as Code (PaC) is a paradigm that encodes security and compliance policies into machine-readable formats, enabling automated enforcement in Infrastructure as Code (IaC) environments. However, its adoption is hindered by the complexity of policy languages and the risk of misconfigurations. In this work, we present ARPaCCino, an agentic system that combines Large Language Models (LLMs), Retrieval-Augmented-Generation (RAG), and tool-based validation to automate the generation and verification of PaC rules. Given natural language descriptions of the desired policies, ARPaCCino generates formal Rego rules, assesses IaC compliance, and iteratively refines the IaC configurations to ensure conformance. Thanks to its modular agentic architecture and integration with external tools and knowledge bases, ARPaCCino supports policy validation across a wide range of technologies, including niche or emerging IaC frameworks. Experimental evaluation involving a Terraform-based case study demonstrates ARPaCCino's effectiveness in generating syntactically and semantically correct policies, identifying non-compliant infrastructures, and applying corrective modifications, even when using smaller, open-weight LLMs. Our results highlight the potential of agentic RAG architectures to enhance the automation, reliability, and accessibility of PaC workflows.