Conftest for config & IaC
Policy on YAML, Terraform, Dockerfiles.
Conftest applies OPA/Rego policy to structured configuration files — YAML, JSON, HCL/Terraform, Dockerfiles, INI, and more — and is the go-to way to enforce policy in CI. It parses the file into JSON, evaluates your deny (and warn) rules against it as input, and exits non-zero on any violation, so a pull request that adds a public bucket or a privileged pod fails the pipeline. The policies are ordinary Rego, reusable across everything Conftest can parse.
$ conftest test deployment.yamlFAIL - deployment.yaml - main - container app is privilegedFAIL - deployment.yaml - main - memory limit is not set2 tests, 0 passed, 2 failures$ echo $?1 # non-zero -> the CI job fails
Policy across the stack
The strength is one policy language over the whole toolchain: the same Conftest run can check Kubernetes manifests, a Terraform plan (converted to JSON), a Dockerfile, and a Helm render — enforcing consistent rules (“images from our registry,” “no :latest,” “encryption on”) everywhere config lives. Policies are distributed as bundles (even via OCI), so a platform team ships one policy library that every repo pulls and runs in CI.
# gate a Terraform plan: render to JSON, then test it$ terraform show -json plan.bin > plan.json$ conftest test plan.json --policy policy/# pull a shared policy bundle and test against it$ conftest pull oci://registry.internal/policies:v2 && conftest test .