ConfigsApr 16, 2026·3 min read

Conftest — Test Structured Config with Open Policy Agent

A CLI tool for writing tests against structured configuration data using the Rego policy language. Conftest validates Kubernetes manifests, Terraform plans, Dockerfiles, and any structured format against custom policies.

AI Open Source
AI Open Source · Community
TL;DR
Conftest tests structured config files against Rego policies, catching misconfigurations before deployment.
§01

What it is

Conftest is a command-line tool for writing tests against structured configuration data using the Rego policy language from Open Policy Agent (OPA). It validates Kubernetes manifests, Terraform plans, Dockerfiles, and any structured format (JSON, YAML, TOML, HCL) against custom policies you define.

Conftest is for platform engineers and DevOps teams who want to enforce configuration standards automatically. Instead of reviewing YAML files by hand for security misconfigurations or missing labels, you write policies once and run them in CI.

§02

How it saves time or tokens

This workflow provides the installation command and a starter policy structure. Instead of learning OPA from scratch and figuring out how to integrate it with your config files, you get a working conftest setup with a deny policy template. Running conftest test against your configs takes seconds and catches issues that manual reviews miss.

§03

How to use

  1. Install Conftest:
brew install conftest
  1. Create a policy directory and write your first Rego policy:
mkdir policy
cat > policy/deny.rego << 'EOF'
package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg := "Deployments must set runAsNonRoot to true"
}

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.metadata.labels.app
  msg := "Deployments must have an app label"
}
EOF
  1. Test your configuration files:
conftest test deployment.yaml
# FAIL - deployment.yaml - Deployments must set runAsNonRoot to true
§04

Example

# policy/dockerfile.rego
package main

deny[msg] {
  input[i].Cmd == "from"
  val := input[i].Value[0]
  val == "latest"
  msg := "Do not use latest tag in FROM statements"
}

deny[msg] {
  input[i].Cmd == "run"
  contains(input[i].Value[0], "curl")
  not contains(input[i].Value[0], "--fail")
  msg := "curl commands should use --fail flag"
}
# Test a Dockerfile
conftest test --parser dockerfile Dockerfile
§05

Related on TokRepo

§06

Common pitfalls

  • Rego syntax is different from imperative languages. The biggest confusion is that Rego rules are declarative assertions, not if-else blocks. Read the OPA documentation on Rego basics before writing complex policies.
  • Conftest expects policies in a policy/ directory by default. Use --policy flag to specify a different path.
  • Terraform plan output must be converted to JSON with terraform show -json plan.tfplan before Conftest can test it. Raw plan files are not supported.

Frequently Asked Questions

What file formats does Conftest support?+

Conftest supports JSON, YAML, TOML, HCL, INI, Dockerfile, CUE, and several other structured formats. Each format has a parser that converts the input into a JSON structure that Rego policies can evaluate.

How do I use Conftest in CI/CD?+

Add conftest test to your CI pipeline after generating or modifying config files. The command returns a non-zero exit code when any deny rule matches, which fails the pipeline. Most CI systems (GitHub Actions, GitLab CI, Jenkins) can run it as a shell step.

Can I share policies across teams?+

Yes. Conftest supports pulling policies from OCI registries, Git repositories, and HTTP URLs using conftest pull. This lets you maintain a central policy repository that all teams reference.

What is the difference between Conftest and OPA?+

OPA is the policy engine and Rego runtime. Conftest is a CLI wrapper specifically designed for testing configuration files against Rego policies. OPA handles runtime policy decisions for APIs and services, while Conftest focuses on static config validation.

Does Conftest support Terraform?+

Yes. Convert your Terraform plan to JSON with terraform show -json plan.tfplan, then run conftest test plan.json. Your Rego policies can inspect planned resource changes, provider configurations, and variable values.

Citations (3)
Related on TokRepo
Security toolsDevOps toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Conda — Cross-Platform Package and Environment Manager

Install, update, and manage packages and isolated environments for Python, R, C/C++, and hundreds of other languages from a single tool.

AI Open Source

Sphinx — Python Documentation Generator

Generate professional documentation from reStructuredText and Markdown with cross-references, API autodoc, and multiple output formats.

AI Open Source

Neutralinojs — Lightweight Cross-Platform Desktop Apps

Build desktop applications with HTML, CSS, and JavaScript using a tiny native runtime instead of bundling Chromium.

AI Open Source
Home🔍Search👤Me