Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies as well as download them. The format reuses the Bundle defined by Open Policy Agent.
You can download individual policies directly:
conftest pull instrumenta.azurecr.io/test
Pull also supports other policy locations, such as git or https. Under the hood conftest leverages go-getter to download policies. For example, to download a policy via https:
conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego
Policies can be stored in OCI registries that support the Artifact specification. You can read more about this idea in this post. Conftest supports storing policies using this mechanism leveraging ORAS.
If you have a compatible OCI registry you can also push new policy bundles like so:
conftest push instrumenta.azurecr.io/test conftest push 127.0.0.1:5000/test conftest push <some-other-supported-registry>/test
OCI bundles can be pulled as well:
conftest pull instrumenta.azurecr.io/test conftest pull 127.0.0.1:5000/test conftest pull oci://<some-other-supported-registry>/test
ACR and 127.0.0.1:5000 (The local Docker Registry) are special cases where the URL does not need to be prefixed with the scheme
oci://, in all other cases the scheme needs to be provided in the URL.
If you want to download the latest policies and run the tests in one go, you can do so with:
conftest test --update <url(s)> <file-to-test>