Tools/open-policy-agent/conftest

conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language

3.2kemergingGo

The Lens

Conftest tests configuration files against policies you write in Rego. Point it at a Kubernetes manifest, a Terraform plan, a Dockerfile, or any structured config, and it checks them against your rules and passes or fails. It brings OPA-style policy to the command line and CI, open source and free.

It's a single binary built for pipelines: run it in CI to block a merge when a config violates policy, before anything reaches a cluster or a cloud account. Unlike Gatekeeper, which enforces at Kubernetes admission time, Conftest works at the file level anywhere in your workflow, so it fits config that never touches a cluster. Policies are Rego, shared through OCI registries.

Fully free, part of the OPA project. It fills the gap between a general policy engine and your CI: the same Rego skills, applied to files instead of live systems. Solo and small teams, a clean way to gate config in pull requests. Larger orgs, pair it with Gatekeeper so the same policy ideas run in CI and at admission time.

The catch: Rego again. Conftest is only as useful as the policies you write, and those are in Rego, so the learning curve carries over. And it checks files, not running systems, so a config that passes Conftest can still drift after it's deployed. It's a pre-deploy gate, not runtime enforcement.

Free vs Self-Hosted vs Paid

fully free

Self-hosted (free): Conftest under Apache-2.0, part of OPA. A single binary that tests structured config files (Kubernetes manifests, Terraform plans, Dockerfiles, and more) against Rego policies, built for CI. Policies shared via OCI registries.

Commercial: None.

The call: File-level policy for the pipeline, versus Gatekeeper's admission-time enforcement. Same Rego skills, applied to files before anything deploys.

Completely free and open source, part of the OPA project.

Self-hosting ops:moderate

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Score
47/100 · C
Adoption17/30
Maintenance10/25
Community5/20
License5/15
Analysis10/10

About

Owner
Open Policy Agent (Organization)
Stars
3,213
Forks
347

Explore Further

More tools in the directory