Conftest
Profile
Conftest is a command-line utility for testing structured configuration files against custom policies using the Rego language from Open Policy Agent. Built as an open source tool under Apache License 2.0, it operates as part of the CNCF-graduated OPA project, providing a developer-friendly interface for policy-as-code validation across infrastructure-as-code ecosystems. The tool addresses the critical gap between schema validation and organizational policy enforcement, enabling teams to codify security baselines, compliance requirements, and operational standards as executable tests. Conftest transforms configuration management from manual review processes into automated, testable workflows integrated directly into development pipelines, catching misconfigurations before they reach production environments.
Focus
Conftest solves the fundamental challenge of validating infrastructure configurations against organizational policies and business logic requirements that extend beyond structural correctness. While schema validation catches syntax errors, Conftest enforces custom rules around security contexts, resource configurations, compliance standards, and operational best practices specific to each organization. Platform engineers use it to standardize infrastructure practices across teams, security teams implement security baselines consistently, and compliance teams automate policy checking with auditable results. The tool provides a unified framework for testing diverse configuration formats—from Kubernetes manifests to Terraform code to Dockerfiles—using a single policy language, eliminating the need for format-specific validation tools and enabling centralized policy management across heterogeneous infrastructure stacks.
Background
Conftest originated from Instrumenta as a practical tool for extending policy testing beyond Kubernetes admission control into the broader infrastructure-as-code ecosystem. The project formally joined the Open Policy Agent project in July 2020, recognizing its role as the primary developer-friendly interface for writing and testing policies using Rego. Built on OPA's policy engine, Conftest leverages a CNCF-graduated foundation used in production by organizations including Goldman Sachs, Netflix, and T-Mobile. The tool maintains active development under CNCF governance with distributed community contributions, ensuring independence from single corporate sponsors. Following organizational transitions within the OPA maintainer community, Conftest continues operating under established CNCF stewardship with regular releases and responsive maintenance.
Main features
Multi-format configuration parsing and validation
Conftest supports comprehensive structured configuration formats including Terraform HCL/HCL2, Kubernetes YAML, Dockerfiles, JSON, YAML, TOML, CUE, Protocol Buffer TextProto, INI, XML, Jsonnet, HOCON, CycloneDX, SPDX, EDN, and VCL. This breadth enables teams to use a single tool and consistent policy framework across their entire infrastructure stack, from containerization to orchestration to infrastructure provisioning. The tool parses each format into structured data representations that Rego policies can evaluate, eliminating the need for format-specific validation tools. Organizations testing Terraform configurations generate JSON plan output, while Kubernetes deployments validate manifests directly, and container builds test Dockerfiles—all using the same policy language and testing workflow.
Rego-based policy definition and enforcement
Policies are written in Rego, a declarative logic programming language designed for expressing complex rules in human-readable syntax. Teams define deny or warn rules within packages that evaluate conditions against input configurations, producing clear pass/fail results with customizable error messages. Rego supports iteration over arrays and objects, conditional logic, string operations, regular expression matching, and advanced functions for inspecting data structures. Policies can reference external data sources through JSON or YAML files, separating policy logic from operational data like approved container registries or permitted resource types. This approach enhances reusability and allows non-technical stakeholders to update policy-related data without modifying Rego code.
CI/CD integration with flexible output formats
Conftest provides multiple output formats enabling integration with diverse CI/CD platforms and testing frameworks. Output modes include plaintext for human readability, JSON for programmatic analysis, JUnit XML for standard CI/CD reporting, GitHub Actions annotations for pull request reviews, Azure DevOps format for Azure Pipelines, TAP for testing frameworks, and SARIF for security scanning platforms. This flexibility ensures results integrate into existing toolchains without custom parsing. Organizations typically execute Conftest in pipeline jobs that trigger on configuration file changes, blocking merges when policies fail and providing developers immediate feedback on violations through their preferred development workflow.


