open-policy-agent/conftest open-policy-agent/conftest

  • Stars
    star
    2,857
  • Rank 15,889 (Top 0.4 %)
  • Language
    Go
  • License
    Other
  • Created over 5 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
open-policy-agent/conftest
github

open-policy-agent

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Write tests against structured configuration data using the Open Policy Agent Rego query language

Conftest

Go Report Card Netlify

Conftest helps you write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code, Serverless configs or any other config files.

Conftest uses the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

Here's a quick example. Save the following as policy/deployment.rego:

package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot

  msg := "Containers must not run as root"
}

deny[msg] {
  input.kind == "Deployment"
  not input.spec.selector.matchLabels.app

  msg := "Containers must provide app label for pod selectors"
}

Assuming you have a Kubernetes deployment in deployment.yaml you can run Conftest like so:

$ conftest test deployment.yaml
FAIL - deployment.yaml - Containers must not run as root
FAIL - deployment.yaml - Containers must provide app label for pod selectors

2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions

Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the documentation for installation instructions and more details about the features.

Want to contribute to Conftest?

For discussions and questions join us on the Open Policy Agent Slack in the #opa-conftest channel.

More Repositories

1

opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
Go
9,480
star
2

gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
Go
3,602
star
3

gatekeeper-library

📚 The OPA Gatekeeper policy library
Open Policy Agent
628
star
4

contrib

Integrations, examples, and proof-of-concepts that are not part of OPA proper.
Go
321
star
5

opa-envoy-plugin

A plugin to enforce OPA policies with Envoy
Go
316
star
6

kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Go
232
star
7

npm-opa-wasm

Open Policy Agent WebAssembly NPM module (opa-wasm)
JavaScript
130
star
8

frameworks

Go
120
star
9

vscode-opa

An extension for VS Code which provides support for OPA and the Rego policy language
TypeScript
109
star
10

library

The Open Policy Agent project standard library.
Open Policy Agent
93
star
11

example-api-authz-go

Example Go service that uses OPA for API authorization.
Go
93
star
12

cert-controller

Go
89
star
13

opa-docker-authz

A policy-enabled authorization plugin for Docker.
Go
81
star
14

opa-idea-plugin

Open Policy Agent plugin for IntelliJ
Kotlin
56
star
15

rego-python

Python library for interacting with Rego ASTs.
Python
48
star
16

opa-envoy-spire-ext-authz

OPA-Envoy-SPIRE External Authorization Example.
Go
47
star
17

setup-opa

Sets up Open Policy Agent CLI in your GitHub Actions workflow.
TypeScript
44
star
18

example-api-authz-python

Example Python service that uses OPA for API authorization.
Python
32
star
19

community

The Community repository is the place to go for support with OPA and OPA Sub-Projects, like Conftest and Gatekeeper.
31
star
20

golang-opa-wasm

Open Policy Agent WebAssembly Go SDK
Go
20
star
21

gatekeeper-external-data-provider

A template repository for building external data providers for Gatekeeper.
Shell
10
star