// the find
fugue/regula
Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
Regula is a CLI tool that runs OPA/Rego policies against Terraform, CloudFormation, Kubernetes manifests, and ARM templates to catch security and compliance issues before deployment. It was built by Fugue and has since been absorbed into Snyk IaC — the README says so upfront. If you adopt this today, you are adopting an archived project.
The rule library covers CIS benchmarks across AWS, Azure, GCP, and Kubernetes, which is a non-trivial amount of ground to have mapped. The input normalization layer (pkg/loader) handles Terraform source, JSON plans, CDK for Terraform output, and CloudFormation intrinsic functions — that breadth is genuinely hard to get right and the test fixtures show it was taken seriously. SARIF, JUnit, and TAP output formats mean it drops into most CI pipelines without glue code. The interactive REPL for testing Rego rules is a good developer experience that most policy-as-code tools skip.
It is archived. Snyk owns the successor (snyk/policy-engine) and that project is closed-source and vendor-locked. There is no migration path that keeps you independent. ARM template support was still in preview when development stopped, so Azure coverage has a real gap. The Fugue SaaS integration code (pkg/swagger, pkg/fugue) is dead weight for anyone running this standalone — it references a platform that presumably still exists but is irrelevant without a Fugue account. Last meaningful commit activity predates Terraform 1.5+, so provider-specific resource types added in the last two years will not have rules.