// the find
open-policy-agent/conftest
Write tests against structured configuration data using the Open Policy Agent Rego query language
Conftest is a CLI tool for writing policy-as-code tests against structured config files — Kubernetes manifests, Terraform, Dockerfiles, and about 20 other formats — using OPA's Rego language. It's the glue between OPA and your CI pipeline when you want to gate deployments on policy without setting up a full OPA server. Most useful in platform engineering and DevOps contexts where you're enforcing standards across many teams' config files.
Format coverage is genuinely impressive — YAML, JSON, HCL1/2, TOML, Dockerfile, nginx.conf, .env, CycloneDX, SPDX, textproto, and more, each with its own parser and test coverage. OCI registry support for distributing policy bundles means teams can version and share policies the same way they share container images. Output adapters for GitHub Annotations, Azure DevOps, SARIF, JUnit, and TAP means it plugs into whatever CI system you're already using without custom glue. The examples directory is thorough — real working policies for every supported format, not just token YAML samples.
Rego has a steep learning curve that this tool does nothing to soften — if your team doesn't already know OPA, adopting conftest means adopting Rego first, and that's a meaningful tax. The `--combine` flag, which lets policies see multiple files at once (needed for cross-resource validation), has subtle semantics that aren't obvious from the docs and tends to surprise people the first time it doesn't behave as expected. There's no built-in policy linting or type checking for the config data you're testing against — a typo in `input.spec.template.spec.securityContext.runAsNonRoot` silently passes instead of failing, which is the worst failure mode for a testing tool. Plugin support exists but is essentially undocumented beyond a single shell script example in `contrib/`.