Conftest in CI
Gate configs against policy, shift-left.
OPA gives you the engine; Conftest makes it ergonomic for the configuration files engineers actually write. It is the tool that runs your Rego policies against YAML, JSON, HCL, and Dockerfiles as a fast, local, CI-friendly check.
Test configs against policy in CI
Conftest takes a configuration file and a set of Rego policies and reports which policies the file violates — a unit test for your infrastructure and manifests. Developers run it locally for instant feedback, and CI runs it as a gate so a non-compliant Kubernetes manifest, Terraform file, or Dockerfile fails the build before it merges. This is compliance shifted all the way left: the "no privileged containers" or "resources must have an owner tag" control is checked in the pull request, where fixing it costs minutes, rather than discovered in production or an audit months later.
# Policies (Rego) live in policy/; run them against manifests in CI:$ conftest test deploy/*.yamlFAIL - deploy/api.yaml - main - containers must set runAsNonRoot (SOC2 CC6.1)FAIL - deploy/api.yaml - main - missing required label: owner2 tests, 0 passed, 2 failures # non-zero exit → the build fails# Same policies, different inputs:$ conftest test main.tf # Terraform$ conftest test Dockerfile # Dockerfile
Shared policy, shared control set
Because Conftest uses the same Rego as OPA/Gatekeeper, you maintain one policy library that enforces a control in CI (Conftest) and at admission (Gatekeeper) alike — defense in depth from a single source of truth. Bundle and version your policies, map each to its control and framework, and distribute them across repositories so every team is checked against the same shared control set. The result is that compliance requirements become ordinary CI checks developers see and fix like any failing test, which is exactly what makes a control genuinely enforced rather than aspirational — and every Conftest run in CI is a timestamped record that the control was evaluated.