Question 1

How to write a policy for Terraform with Conftest?

Accepted Answer

Convert Terraform plans to JSON using `terraform show -json`, then write Rego rules targeting the JSON structure. For example, you can check for specific resource attributes or compliance rules in the output.

Question 2

Conftest vs OPA: which one should I use?

Accepted Answer

Conftest is a specialized wrapper around OPA's Rego language for testing configuration files, while OPA is a general-purpose policy engine. Use Conftest if you focus on config validation; use OPA for broader policy enforcement across APIs and services.

Question 3

Can Conftest validate Docker Compose files?

Accepted Answer

Yes, since Docker Compose files are in YAML format, Conftest can test them by writing Rego policies. However, you'll need to adapt rules to the specific YAML schema, as there's no built-in support for Docker Compose.

Question 4

How to integrate Conftest into GitHub Actions?

Accepted Answer

Add a step in your workflow YAML to install Conftest via a package manager like brew or download the binary, then run `conftest test` on your configuration files, failing the job on policy violations.

Question 5

What are common Kubernetes policies with Conftest?

Accepted Answer

Examples include enforcing non-root containers, requiring resource limits, ensuring label consistency, and checking for security contexts, as shown in the README's deployment.rego example.

Question 6

Is Conftest good for JSON schema validation?

Accepted Answer

No, Conftest uses Rego for policy assertions, not JSON Schema validation. While you can write Rego rules to mimic schema checks, it's not a direct replacement for dedicated validators like Ajv.

Conftest

What is Conftest?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions