finds.dev← search

// the find

open-policy-agent/conftest

★ 3,212 · Go · NOASSERTION · updated Jul 2026

Write tests against structured configuration data using the Open Policy Agent Rego query language

Conftest is a CLI tool for writing policy-as-code tests against structured config files — Kubernetes manifests, Terraform, Dockerfiles, and about 20 other formats — using OPA's Rego language. It's the glue between OPA and your CI pipeline when you want to gate deployments on policy without setting up a full OPA server. Most useful in platform engineering and DevOps contexts where you're enforcing standards across many teams' config files.

Format coverage is genuinely impressive — YAML, JSON, HCL1/2, TOML, Dockerfile, nginx.conf, .env, CycloneDX, SPDX, textproto, and more, each with its own parser and test coverage. OCI registry support for distributing policy bundles means teams can version and share policies the same way they share container images. Output adapters for GitHub Annotations, Azure DevOps, SARIF, JUnit, and TAP means it plugs into whatever CI system you're already using without custom glue. The examples directory is thorough — real working policies for every supported format, not just token YAML samples.

Rego has a steep learning curve that this tool does nothing to soften — if your team doesn't already know OPA, adopting conftest means adopting Rego first, and that's a meaningful tax. The `--combine` flag, which lets policies see multiple files at once (needed for cross-resource validation), has subtle semantics that aren't obvious from the docs and tends to surprise people the first time it doesn't behave as expected. There's no built-in policy linting or type checking for the config data you're testing against — a typo in `input.spec.template.spec.securityContext.runAsNonRoot` silently passes instead of failing, which is the worst failure mode for a testing tool. Plugin support exists but is essentially undocumented beyond a single shell script example in `contrib/`.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →