# Publish ORL rules can be published to the Rules Service, categorized, and served via channels. ## Channels Channels are pre-canned search [queries](https://docs.gomboc.ai/orl/publish/query-language) that return a set of rules. The Gomboc service uses channels for everything from policy sets to exception handling. ## Classification Classifications are a hierarchical list of categories that can contain rules. They can be children of other classifications. Gomboc uses them for policies as well as security framework mapping. ## Rules Rules in the rules service are just JSON documents with JSON metadata. ORL will only push and pull JSON documents of a type it understands. ### Rule Classifications When pushing rules to the Rules Service the `metadata.classifications` field is used to associate rules with classifications. You can associate rules with any classifications including gomboc managed ones. ```yaml type: Rule version: v1 metadata: name: my-rule classifications: - my/aws/no/dns/ips - gomboc-ai/prismacloud/CKV2_AWS_23 - gomboc-ai/policy/surface_area ``` This will create a rule associated with an internal policy `my/aws/no/dns/ips`, the Checkov rule `CKV2_AWS_23`, as well as the "Surface Area" Policy. ### Publishing Rules (push) Pushing rules will affect scans. So it is important that they are well [tested](https://docs.gomboc.ai/orl/concepts/tests) locally before being pushed. When ready, put all the files (or sym-links to the files) in a single directory and then run `orl rules push ` to upsert the files to the rules service. The following ENVs are needed: * `RULE_SERVICE_URL`: The rule service URL to use (should be `https://rules.app.gomboc.ai`) * `RULE_SERVICE_TOKEN`: The API token ### Caching Rules (pull) Pulling rules requires a channel or a [query string](https://docs.gomboc.ai/orl/publish/query-language), as well as the same ENV variables for pushing rules. All the downloaded rules will be written as `*.orl` files locally to be used in a later `orl remediate` step. * Via direct search `orl rules pull --search '(contains "my/aws" $.name)` * Via a channel `orl rules pull --channel 'my-aws'` ## Example CI Workflows * [Github](https://docs.gomboc.ai/orl/publish/github-workflow)