Cette page est affichée en anglais. Une traduction française est en cours.
SkillsApr 16, 2026·3 min de lecture

Conftest — Test Structured Config with Open Policy Agent

A CLI tool for writing tests against structured configuration data using the Rego policy language. Conftest validates Kubernetes manifests, Terraform plans, Dockerfiles, and any structured format against custom policies.

AI Open Source
AI Open Source · Community
Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
Conftest Overview
Commande d'installation directe
npx -y tokrepo@latest install d3137f66-39d2-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

TL;DR
Conftest tests structured config files against Rego policies, catching misconfigurations before deployment.
§01

What it is

Conftest is a command-line tool for writing tests against structured configuration data using the Rego policy language from Open Policy Agent (OPA). It validates Kubernetes manifests, Terraform plans, Dockerfiles, and any structured format (JSON, YAML, TOML, HCL) against custom policies you define.

Conftest is for platform engineers and DevOps teams who want to enforce configuration standards automatically. Instead of reviewing YAML files by hand for security misconfigurations or missing labels, you write policies once and run them in CI.

§02

How it saves time or tokens

This workflow provides the installation command and a starter policy structure. Instead of learning OPA from scratch and figuring out how to integrate it with your config files, you get a working conftest setup with a deny policy template. Running conftest test against your configs takes seconds and catches issues that manual reviews miss.

§03

How to use

  1. Install Conftest:
brew install conftest
  1. Create a policy directory and write your first Rego policy:
mkdir policy
cat > policy/deny.rego << 'EOF'
package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg := "Deployments must set runAsNonRoot to true"
}

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.metadata.labels.app
  msg := "Deployments must have an app label"
}
EOF
  1. Test your configuration files:
conftest test deployment.yaml
# FAIL - deployment.yaml - Deployments must set runAsNonRoot to true
§04

Example

# policy/dockerfile.rego
package main

deny[msg] {
  input[i].Cmd == "from"
  val := input[i].Value[0]
  val == "latest"
  msg := "Do not use latest tag in FROM statements"
}

deny[msg] {
  input[i].Cmd == "run"
  contains(input[i].Value[0], "curl")
  not contains(input[i].Value[0], "--fail")
  msg := "curl commands should use --fail flag"
}
# Test a Dockerfile
conftest test --parser dockerfile Dockerfile
§05

Related on TokRepo

§06

Common pitfalls

  • Rego syntax is different from imperative languages. The biggest confusion is that Rego rules are declarative assertions, not if-else blocks. Read the OPA documentation on Rego basics before writing complex policies.
  • Conftest expects policies in a policy/ directory by default. Use --policy flag to specify a different path.
  • Terraform plan output must be converted to JSON with terraform show -json plan.tfplan before Conftest can test it. Raw plan files are not supported.

Questions fréquentes

What file formats does Conftest support?+

Conftest supports JSON, YAML, TOML, HCL, INI, Dockerfile, CUE, and several other structured formats. Each format has a parser that converts the input into a JSON structure that Rego policies can evaluate.

How do I use Conftest in CI/CD?+

Add conftest test to your CI pipeline after generating or modifying config files. The command returns a non-zero exit code when any deny rule matches, which fails the pipeline. Most CI systems (GitHub Actions, GitLab CI, Jenkins) can run it as a shell step.

Can I share policies across teams?+

Yes. Conftest supports pulling policies from OCI registries, Git repositories, and HTTP URLs using conftest pull. This lets you maintain a central policy repository that all teams reference.

What is the difference between Conftest and OPA?+

OPA is the policy engine and Rego runtime. Conftest is a CLI wrapper specifically designed for testing configuration files against Rego policies. OPA handles runtime policy decisions for APIs and services, while Conftest focuses on static config validation.

Does Conftest support Terraform?+

Yes. Convert your Terraform plan to JSON with terraform show -json plan.tfplan, then run conftest test plan.json. Your Rego policies can inspect planned resource changes, provider configurations, and variable values.

Sources citées (3)
En lien sur TokRepo
Security toolsDevOps toolsFeatured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

Sanity Studio — Real-Time Structured Content Platform

An open-source, customizable content management studio that treats content as structured data with real-time collaboration and a React-based editing interface.

Skills
Script Depot

Kepler.gl — Open Source Geospatial Data Visualization

A powerful open-source tool for large-scale geospatial data visualization built on deck.gl and Mapbox GL.

Skills
AI Open Source

Catch2 — Modern C++ Test Framework with Natural Expressions

Catch2 is a header-only C++ testing framework known for its expressive assertion syntax and zero-config setup.

Skills
AI Open Source

Allure Report — Flexible Multi-Language Test Reporting Framework

Flexible, lightweight test reporting tool that generates clear graphical reports from test results across multiple languages and frameworks.

Skills
AI Open Source
Accueil🔍Rechercher👤Moi