Conftest

Conftest helps you write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code, Serverless configs or any other config files.

Conftest uses the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

Here's a quick example. Save the following as policy/deployment.rego:

package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot

  msg := "Containers must not run as root"
}

deny[msg] {
  input.kind == "Deployment"
  not input.spec.selector.matchLabels.app

  msg := "Containers must provide app label for pod selectors"
}

Assuming you have a Kubernetes deployment in deployment.yaml you can run Conftest like so:

$ conftest test deployment.yaml
FAIL - deployment.yaml - Containers must not run as root
FAIL - deployment.yaml - Containers must provide app label for pod selectors

2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions

Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the documentation for installation instructions and more details about the features.

Want to contribute to Conftest?

See DEVELOPMENT.md to build and test Conftest itself.
See CONTRIBUTING.md to get started.

For discussions and questions join us on the Open Policy Agent Slack in the #opa-conftest channel.

Name	Name	Last commit message	Last commit date
Latest commit amber-beasley-liatrio docs: fix spelling error Apr 12, 2024 713a11a · Apr 12, 2024 History 977 Commits
.github	.github	ci: Pin bats version to work around broken CI (open-policy-agent#936 )	Mar 31, 2024
.regal	.regal	feat: Use Regal for Rego linting (open-policy-agent#881 )	Oct 19, 2023
builtins	builtins	misc: Clean up generics usage in parse_config builtins (open-policy-a…	Dec 13, 2023
contrib/plugins/kubectl	contrib/plugins/kubectl	Fix plugins on Windows (open-policy-agent#400 )	Sep 23, 2020
docs	docs	docs: fix spelling error	Apr 12, 2024
downloader	downloader	fix: Catch Google Artifact Registry URL during OCI detection (open-po…	Feb 21, 2024
examples	examples	feat: Use Regal for Rego linting (open-policy-agent#881 )	Oct 19, 2023
internal	internal	cmd(verify): Enable show-builtin-errors by default (open-policy-agent…	Feb 27, 2024
output	output	feat: Implement option for custom output destinations (open-policy-ag…	Oct 20, 2023
parser	parser	chore: Update github.com/spdx/tools-golang to current version (open-p…	Oct 1, 2023
plugin	plugin	Update workflow action versions (open-policy-agent#914 )	Feb 10, 2024
policy	policy	fix: Only raise problematic if error when rule has no name set (open-…	Mar 31, 2024
runner	runner	feat: Add show-builtin-errors flag for the verify command (open-polic…	Jan 3, 2024
scripts	scripts	feat: upgrade to ORAS Go v2 (open-policy-agent#788 )	Mar 9, 2023
tests	tests	fix: Only raise problematic if error when rule has no name set (open-…	Mar 31, 2024
.dockerignore	.dockerignore	Prepare 0.24.0 release	Apr 16, 2021
.gitignore	.gitignore	feat: Raise error when problematic use of the if keyword is encounter…	Jan 15, 2024
.golangci.yaml	.golangci.yaml	chore: Replace ghodss/yaml with sigs.k8s.io/yaml (open-policy-agent#858 )	Sep 1, 2023
.goreleaser.yml	.goreleaser.yml	ci: s390x architecture added in the goarch list (open-policy-agent#905 )	Jan 13, 2024
CODE_OF_CONDUCT.md	CODE_OF_CONDUCT.md	Move plugin tests to test folder	Apr 15, 2021
CONTRIBUTING.md	CONTRIBUTING.md	ci: Require commits to have conventional commit prefix (open-policy-a…	Jan 10, 2023
DEVELOPMENT.md	DEVELOPMENT.md	Update Building and Testing documentation (open-policy-agent#654 )	Dec 29, 2021
Dockerfile	Dockerfile	build(deps): bump golang from 1.22.1-alpine to 1.22.2-alpine (open-po…	Apr 11, 2024
LICENSE	LICENSE	added an explicit license	Apr 1, 2019
Makefile	Makefile	Use docker buildx for multi-platform builds	Mar 24, 2023
README.md	README.md	chore: point to the right channel (open-policy-agent#630 )	Nov 13, 2021
SECURITY.md	SECURITY.md	docs: Update security link to point to new default branch (open-polic…	Jan 29, 2022
acceptance.bats	acceptance.bats	feat: Use Regal for Rego linting (open-policy-agent#881 )	Oct 19, 2023
go.mod	go.mod	build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (open-policy-age…	Apr 4, 2024
go.sum	go.sum	build(deps): bump cuelang.org/go from 0.8.0 to 0.8.1 (open-policy-age…	Apr 4, 2024
main.go	main.go	Rewite module paths to prepare for transfer to open-policy-agent	May 15, 2020
mkdocs.yml	mkdocs.yml	Exception docs are published but not linked in the nav	Jul 16, 2020
requirements.txt	requirements.txt	Bump mkdocs to 1.3.0	Apr 6, 2022
runtime.txt	runtime.txt	ci: [draft/test] fix runtime to 3.8 as it's default in focal (open-po…	Nov 27, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Conftest

Want to contribute to Conftest?

About

Releases

Packages

Languages

License

amber-beasley-liatrio/conftest

Folders and files

Latest commit

History

Repository files navigation

Conftest

Want to contribute to Conftest?

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages