Conftest

Conftest is a suite of tools designed for validating structured configurations, testing policy logic, and generating policy documentation. It serves as a configuration file validator that checks YAML, JSON, and Helm charts for security violations and compliance issues using declarative rules.

The project functions as an Open Policy Agent testing tool, allowing structured configuration files to be validated against custom policies written in Rego. It includes a policy-as-code testing framework to ensure policy logic is correct and a utility to extract metadata from Rego code to create static markdown reference files.

The tool provides capabilities for infrastructure-as-code testing, configuration compliance auditing, and integration into CI/CD pipelines to block non-compliant changes. It supports executing policy validations within containerized environments to maintain consistency across different host operating systems.

Features

Policy Evaluation Engines - Provides a policy evaluation engine that checks structured configurations against declarative Rego rules to determine compliance.

Policy-Based Validations - Provides declarative policy validation for YAML, JSON, and Helm charts to identify security violations and compliance issues.

Configuration Normalization - Converts various configuration formats into a common JSON representation for consistent analysis by the policy engine.

Configuration File Validators - Validates the syntax and settings of YAML, JSON, and Helm chart configuration files against declarative rules.

Static Configuration Analysis - Performs static analysis of infrastructure-as-code configuration files to identify security risks before deployment.

Configuration and Policy Enforcement - Integrates with Open Policy Agent to define and enforce governance and operational standards across structured data.

Audit and Compliance - Checks structured system settings against organizational standards to ensure they meet security and operational compliance requirements.

Infrastructure as Code Scanners - Analyzes infrastructure-as-code configuration files statically to detect security risks and compliance issues before deployment.

Policy-As-Code Engines - Provides a framework to validate infrastructure plans against security and compliance rules using policy-as-code.

Policy Validators - Provides tools for checking Rego-based authorization and configuration rules for syntax and logical errors.

Policy Logic Testing - Executes test suites against defined policies to ensure rules behave correctly before application to configuration files.

Documentation Generators - Extracts structured metadata from policy source code to automatically generate human-readable markdown reference guides.

CI/CD Policy Gates - Automates the validation of configuration files within a pipeline to block non-compliant changes from reaching production.

Stateless Architectures - Implements a stateless architecture for policy evaluation to ensure reproducible and predictable validation results.

Policy Assertion Libraries - Tests configuration files against defined assertions to ensure they adhere to specific security or operational policies.

Violation Source Mapping - Associates policy failures with specific line numbers and file paths by extracting coordinates from the parsed configuration.

open-policy-agentconftest

Features

Star history