Conftest

Conftest is a CLI that runs Open Policy Agent (Rego) policies against structured config on disk: Terraform plans, Kubernetes manifests, Helm charts, Tekton, Dockerfile, and more. We trial it under Code Scanner as the default way to implement Policy as Code in CI before deploy; Policy as Code itself is adopt as a Technique.

Blurb

Conftest helps you write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code, Serverless configs or any other config files.

Summary

Role: offline policy tests (conftest test, conftest verify) with policies in Rego, results as pass/fail per file. Fits Shift Left and DevSecOps build gates on Pull Requests via GitHub Actions (or any CI).

When to use: you already commit IaC and want repeatable compliance rules; OPA ecosystem is acceptable; need one tool across Terraform + K8s + misc YAML.

When to skip: only application source linting (use Code Linting / Codacy); Terraform-only teams may assess Regula instead; simple Kubernetes admission without OPA ops may use native CEL (ValidatingAdmissionPolicy) for narrower rules.

Pairs with: versioned policy/ repo or directory; conftest verify for policy unit tests; admission controllers in-cluster for runtime (Conftest is pre-deploy).

Not the same as: Codacy (multi-linter SaaS on app repos); cluster admission webhooks (different execution point).

Details

Garden pattern: start with a small deny-list (no latest tags, required labels, disallowed ports); expand with Policy as Code maturity. For K8s-only simple rules, compare CEL before adding OPA operational surface.

References

• Conftest documentation
• Open Policy Agent