Skip to content
Home IaC Security Tools Conftest
CO

Conftest

Category: IaC Security
License: Free (Open-Source, Apache 2.0)
GitHub (3100★)
0 Comments
Visit Website →
Suphi Cankurt
Suphi Cankurt
AppSec Enthusiast
Updated February 12, 2026
3 min read
0 Comments

Conftest is a policy testing framework that validates structured configuration files against Open Policy Agent (OPA) policies. It works with Terraform, Kubernetes manifests, Dockerfiles, serverless configs, and any other structured data format.

Unlike scanners with built-in check libraries, Conftest requires you to define policies in Rego. This gives complete control over what gets tested and how failures are reported.

What Conftest does

Conftest parses configuration files into data structures and evaluates them against Rego policies. Policies define rules like “all S3 buckets must enable encryption” or “container images must not run as root.”

The tool outputs pass/fail results with custom messages. It runs locally during development, in CI/CD pipelines, and as a pre-commit hook.

Format Agnostic
Supports Terraform, Kubernetes, Docker Compose, JSON, YAML, TOML, HCL, CUE, and custom formats. Parses input, runs policies, reports violations.
OPA Rego Policies
Uses the same policy language as Open Policy Agent. Write custom rules for organization-specific security requirements, compliance standards, or best practices.
Policy Distribution
Pulls policies from OCI registries, Git repositories, or S3 buckets. Centralize policy management and share rules across teams.

Key features

Feature Details
Input formats Terraform HCL/HCL2, Kubernetes YAML, Dockerfiles, JSON, YAML, TOML, CUE, INI, XML, Jsonnet, HOCON, CycloneDX, SPDX, EDN, TextProto, VCL, environment files
Policy language Rego (Open Policy Agent)
Output modes Standard text, JSON, TAP (Test Anything Protocol), JUnit XML, GitHub Actions annotations
Policy sources Local files, OCI registries, Git repos, S3, Azure Blob Storage
Exit codes Non-zero exit on policy violations for CI/CD gating
Namespaces Organize policies by concern (security, compliance, cost)
Ignore files Exclude specific findings with .conftest.ignore

Writing policies

Policies live in Rego files. Define rules in the deny, warn, or violation namespaces to control failure severity.

Example policy for Kubernetes resources:

package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg = "Deployment must set runAsNonRoot to true"
}

warn[msg] {
  input.kind == "Service"
  input.spec.type == "LoadBalancer"
  msg = "LoadBalancer services may incur cloud costs"
}

Run conftest test deployment.yaml to evaluate Kubernetes manifests against these policies.

Testing Terraform

Point Conftest at Terraform JSON plan output or HCL source files. Policies check resource configurations before infrastructure changes apply.

# Test Terraform HCL files
conftest test terraform/*.tf

# Test Terraform plan output
terraform plan -out=plan.binary
terraform show -json plan.binary > plan.json
conftest test plan.json

Example Terraform policy:

package main

deny[msg] {
  input.resource.aws_s3_bucket[bucket]
  not input.resource.aws_s3_bucket[bucket].server_side_encryption_configuration
  msg = sprintf("S3 bucket '%s' must enable encryption", [bucket])
}

CI/CD integration

Conftest runs in any pipeline as a standalone binary. Exit codes indicate policy violations.

# Install Conftest
curl -L -o conftest.tar.gz https://github.com/open-policy-agent/conftest/releases/download/v0.66.0/conftest_0.66.0_Linux_x86_64.tar.gz
tar xzf conftest*.tar.gz

# Test configuration files
conftest test k8s/*.yaml --policy policies/

# Fail pipeline on violations (exit code 1)
conftest test terraform/ --fail-on-warn

GitHub Actions example:

- name: Run Conftest
  run: |
    conftest test kubernetes/*.yaml
Rego v1 syntax change
Conftest changed the default Rego syntax from v0 to v1 in 2025. Existing policies may require updates for v1 compatibility. The latest release is v0.66.0 (December 2025).

Policy distribution with OCI

Store policies in OCI-compliant registries like Docker Hub, GitHub Container Registry, or AWS ECR. Teams pull policies from a central location instead of duplicating policy files across repositories.

# Push policy bundle to registry
conftest push ghcr.io/myorg/policies:latest

# Pull and test with remote policies
conftest test --update ghcr.io/myorg/policies:latest kubernetes/*.yaml

Getting started

1
Install Conftest — Download the binary from GitHub releases or use Homebrew (brew install conftest). Available for Linux, macOS, and Windows.
2
Create a policy — Write a Rego file in a policy/ directory. Start with a simple deny rule to test an input field.
3
Test a config file — Run conftest test to validate configuration against policies. Conftest reports violations and warnings.
4
Add to CI/CD — Run conftest test in your pipeline. Use –fail-on-warn to fail builds on warnings in addition to denials.

When to use Conftest

Conftest works well when you need custom policy enforcement across different configuration formats. Teams with specific compliance requirements, internal security standards, or multi-cloud environments benefit from writing policies once and applying them to Terraform, Kubernetes, and other tools.

The Rego learning curve is steeper than tools with pre-built checks like Checkov or KICS. But once policies are written, Conftest provides precise control over what passes and what fails.

Use Conftest alongside other scanners. Run Trivy for vulnerability detection and Conftest for organization-specific policy enforcement. They complement each other.

Best for
Teams that need custom policy enforcement across multiple configuration formats and want precise control over security rules, compliance checks, and best practice validation.

For pre-built IaC check libraries, Checkov covers more scenarios out of the box. For Terraform-focused scanning with commercial support, Snyk IaC offers IDE integration and fix suggestions.

Browse other IaC security tools to compare options.

Frequently Asked Questions

What is Conftest?
Conftest is an open-source policy testing framework for configuration files. It uses Open Policy Agent (OPA) Rego language to write assertions against structured data like Kubernetes manifests, Terraform code, Dockerfiles, and JSON/YAML files. Maintained by the OPA project with 3.1k GitHub stars.
How does Conftest differ from other IaC scanners?
Conftest is format-agnostic. It tests any structured data against custom policies you define in Rego. Tools like Checkov and Trivy include pre-built check libraries. Conftest requires you to write or import policies but gives complete control over what gets tested and how.
What file formats does Conftest support?
Conftest supports over 18 input formats including Terraform HCL/HCL2, Kubernetes YAML, Dockerfiles, JSON, TOML, CUE, INI, XML, Jsonnet, HOCON, CycloneDX, SPDX, EDN, TextProto, VCL, and environment files. It parses the input into a data structure and runs Rego policies against it.
Can I use Conftest with existing OPA policies?
Yes. Conftest is part of the OPA ecosystem and uses standard Rego syntax. Import policies from OCI registries, Git repositories, or local files. The policy library format matches OPA’s bundle structure.
How we review tools Suggest an edit

Other IaC Security Tools

Checkov
Checkov

3,000+ Policies for Terraform, CloudFormation & K8s

 KICS
KICS

2,400+ Rego Queries for 22+ IaC Platforms

 Kubescape
Kubescape

CNCF Project, 25k+ Users

 Snyk IaC
Snyk IaC

IDE, CLI & CI/CD Integration

See all IaC Security tools

Complement with SCA

Pair IaC scanning with dependency analysis for broader coverage.

Checkmarx SCA
Checkmarx SCA

Three-Pronged Analysis

 Contrast SCA
Contrast SCA

Runtime Library Prioritization

See all SCA tools

Learn More

AI-Generated Code Security API Security Testing Application Security Checklist AppSec Compliance Mapping

Comments

Powered by Giscus — comments are stored in GitHub Discussions.