Conftest in CI

Gate configs against policy, shift-left.

Advanced30 min · lesson 5 of 15

OPA gives you the engine; Conftest makes it ergonomic for the configuration files engineers actually write. It is the tool that runs your Rego policies against YAML, JSON, HCL, and Dockerfiles as a fast, local, CI-friendly check.

Test configs against policy in CI

Conftest takes a configuration file and a set of Rego policies and reports which policies the file violates — a unit test for your infrastructure and manifests. Developers run it locally for instant feedback, and CI runs it as a gate so a non-compliant Kubernetes manifest, Terraform file, or Dockerfile fails the build before it merges. This is compliance shifted all the way left: the "no privileged containers" or "resources must have an owner tag" control is checked in the pull request, where fixing it costs minutes, rather than discovered in production or an audit months later.

gate configs with Conftest in CI
# Policies (Rego) live in policy/; run them against manifests in CI:
$ conftest test deploy/*.yaml
FAIL - deploy/api.yaml - main - containers must set runAsNonRoot (SOC2 CC6.1)
FAIL - deploy/api.yaml - main - missing required label: owner
2 tests, 0 passed, 2 failures # non-zero exit → the build fails
# Same policies, different inputs:
$ conftest test main.tf # Terraform
$ conftest test Dockerfile # Dockerfile

Shared policy, shared control set

Because Conftest uses the same Rego as OPA/Gatekeeper, you maintain one policy library that enforces a control in CI (Conftest) and at admission (Gatekeeper) alike — defense in depth from a single source of truth. Bundle and version your policies, map each to its control and framework, and distribute them across repositories so every team is checked against the same shared control set. The result is that compliance requirements become ordinary CI checks developers see and fix like any failing test, which is exactly what makes a control genuinely enforced rather than aspirational — and every Conftest run in CI is a timestamped record that the control was evaluated.

Conftest: compliance in the pipeline
inputs
K8s manifests
YAML
Terraform / Dockerfile
HCL / Dockerfile
shared policy
one Rego library
also used by Gatekeeper
CI gate
fail the build on violation
Conftest runs your Rego policies against config files as a CI gate — compliance as an ordinary, fast, shift-left test.
A CI-only gate misses out-of-band changes
Conftest catches non-compliant config in the pipeline, but a resource changed directly in the console never passes through CI. Pair CI gates (Conftest) with runtime enforcement (Gatekeeper/admission) and drift detection, so the control holds whether the change came through the pipeline or around it.