Sharing policies

Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies as well as download them. The format reuses the Bundle defined by Open Policy Agent.

Pulling

The pull command allows you to download policies using either a URL, a specific protocol (such as git), or an OCI Registry.

HTTPS

conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego

Git

conftest pull git::https://github.com/<Organization>/<Repository>.git//sub/folder

Git (with access token)

conftest pull git::https://<PersonalAccessToken>@github.com/<Organization>/<Repository>.git//sub/folder

OCI Registry

conftest pull opa.azurecr.io/test

See the go-getter repository for more examples.

Pushing to an OCI registry

Policies can be stored in OCI registries that support the artifact specification mentioned above. Conftest accomplishes this by leveraging ORAS.

For example, if you have a compatible OCI registry you can push a new policy bundle like so:

conftest push opa.azurecr.io/test

--update flag

If you want to download the latest policies and run the tests in one go, you can do so with the --update flag:

conftest test --update <url(s)> <file-to-test>