Glob Matching

Function	Description	Meta
glob.match	result := glob.match(pattern, delimiters, match) Parses and matches strings against the glob notation. Not to be confused with regex.globs_match. Arguments: pattern (string) glob pattern delimiters (any<null, array[string]>) glob pattern delimiters, e.g. [".", ":"], defaults to ["."] if unset. If delimiters is null, glob match without delimiter. match (string) string to match against pattern Returns: result (boolean) true if match can be found in pattern which is separated by delimiters	Wasm
glob.quote_meta	output := glob.quote_meta(pattern) Returns a string which represents a version of the pattern where all asterisks have been escaped. Arguments: pattern (string) glob pattern Returns: output (string) the escaped string of pattern	SDK-dependent

Examples

glob.match

glob.match matches strings against glob patterns with optional delimiters. The function returns true if the string matches the pattern, false if it doesn't match, or undefined if invalid arguments are provided.

Common use cases for glob.match include:

• Matching file paths and URLs with wildcard patterns
• Validating domain names and hostnames against patterns
• Filtering resources based on naming conventions
• Checking configuration keys against allowed patterns

Delimiters are used to split the input into segments for matching. Delimiters must be single characters for unambiguous parsing.

Valid delimiters

glob.match("a:*", [":"], "a:b")          # => true
glob.match("a/b.c", ["/", "."], "a/b.c") # => true

Invalid delimiters

glob.match("a::*", ["::"], "a::b")   # => undefined
glob.match("a:*", [""], "a:b")       # => undefined

If you provide multi-character or empty delimiters, glob.match will return undefined (or an error with --strict-builtin-errors enabled).

An empty array [] defaults to "." (dot) as the delimiter:

Default delimiter

glob.match("*.github.com", [], "api.github.com")  # => true

Using null means no delimiters are used:

No delimiters

glob.match("*hub.com", null, "api.cdn.github.com")  # => true

Domain Matching

This example shows basic glob matching with a single delimiter.

The pattern app.*.com matches domain names where:

• The first segment is "app"
• Followed by any hostname component (matched by *)
• Ending in "com"

The dot (.) is specified as the delimiter, which splits the domain into segments: ["app", "example", "com"].

data.json

{}

input.json

{}

policy.rego

package example

# Match domain names using dot as delimiter
domain_match := glob.match("app.*.com", ["."], "app.example.com")

Loading...

OCI Image Matching

This example demonstrates when you need multiple delimiters.

Docker image references use multiple separator characters. In this pattern:

• Slash (/) separates registry/organization from image name
• Colon (:) separates image name from tag

The pattern */*:* matches any registry/organization, image name, and tag. By specifying both / and : as delimiters, glob.match segments the path: ["registry.example.com", "library", "nginx", "latest"].

data.json

{}

input.json

{}

policy.rego

package example

# Match Docker image references with both / and : delimiters
# Format: registry/namespace/image:tag
image_match := glob.match("*/*/*:*", ["/", ":"], "registry.example.com/library/nginx:latest")

Loading...

tip

For performance considerations when using glob.match, see the Policy Performance guide.

Basic Usage

The following table shows examples of how glob.match works:

call	output	Description
output := glob.match("*.github.com", [], "api.github.com")	true	A glob with the default ["."] delimiter.
output := glob.match("*.github.com", [], "api.cdn.github.com")	false	A glob with the default ["."] delimiter.
output := glob.match("*hub.com", null, "api.cdn.github.com")	true	A glob without delimiter.
output := glob.match("*:github:com", [":"], "api:github:com")	true	A glob with delimiters [":"].
output := glob.match("api.**.com", [], "api.github.com")	true	A super glob.
output := glob.match("api.**.com", [], "api.cdn.github.com")	true	A super glob.
output := glob.match("?at", [], "cat")	true	A glob with a single character wildcard.
output := glob.match("?at", [], "at")	false	A glob with a single character wildcard.
output := glob.match("[abc]at", [], "bat")	true	A glob with character-list matchers.
output := glob.match("[abc]at", [], "cat")	true	A glob with character-list matchers.
output := glob.match("[abc]at", [], "lat")	false	A glob with character-list matchers.
output := glob.match("[!abc]at", [], "cat")	false	A glob with negated character-list matchers.
output := glob.match("[!abc]at", [], "lat")	true	A glob with negated character-list matchers.
output := glob.match("[a-c]at", [], "cat")	true	A glob with character-range matchers.
output := glob.match("[a-c]at", [], "lat")	false	A glob with character-range matchers.
output := glob.match("[!a-c]at", [], "cat")	false	A glob with negated character-range matchers.
output := glob.match("[!a-c]at", [], "lat")	true	A glob with negated character-range matchers.
output := glob.match("{cat,bat,[fr]at}", [], "cat")	true	A glob with pattern-alternatives matchers.
output := glob.match("{cat,bat,[fr]at}", [], "bat")	true	A glob with pattern-alternatives matchers.
output := glob.match("{cat,bat,[fr]at}", [], "rat")	true	A glob with pattern-alternatives matchers.
output := glob.match("{cat,bat,[fr]at}", [], "at")	false	A glob with pattern-alternatives matchers.