Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies as well as download them. The format reuses the Bundle defined by Open Policy Agent.
pull command allows you to download policies using either a URL, a specific protocol (such as
git), or an OCI Registry.
conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego
conftest pull git::https://github.com/<Organization>/<Repository>.git//sub/folder
Git (with access token)
conftest pull git::https://<PersonalAccessToken>@github.com/<Organization>/<Repository>.git//sub/folder
conftest pull opa.azurecr.io/test
See the go-getter repository for more examples.
Pushing to an OCI registry
Policies can be stored in OCI registries that support the artifact specification mentioned above. Conftest accomplishes this by leveraging ORAS.
For example, if you have a compatible OCI registry you can push a new policy bundle like so:
conftest push opa.azurecr.io/test
If you want to download the latest policies and run the tests in one go, you can do so with the
conftest test --update <url(s)> <file-to-test>