Convert Figma logo to code with AI

open-policy-agent logoconftest

Write tests against structured configuration data using the Open Policy Agent Rego query language

2,859
304
2,859
41

Top Related Projects

3,163

Validate your Kubernetes configuration files, supports multiple Kubernetes versions

6,388

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

6,861

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

2,768

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Quick Overview

Conftest is an open-source utility for writing tests against structured configuration data. It uses the Rego language to write policies as code and can test configurations written in JSON, YAML, HCL, and other formats. Conftest helps teams ensure their configuration files adhere to predefined policies and best practices.

Pros

  • Flexible and language-agnostic, supporting various configuration formats
  • Integrates well with CI/CD pipelines for automated policy checking
  • Allows for writing and sharing reusable policies across projects
  • Provides a simple command-line interface for easy adoption

Cons

  • Requires learning Rego language for writing policies
  • Limited built-in policies, requiring users to write or find custom policies
  • May add complexity to the development process for smaller projects
  • Performance can be slower for large configuration files or complex policies

Code Examples

  1. Basic policy to ensure a Kubernetes deployment has resource limits:
package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.containers[_].resources.limits
  msg = "Containers must have resource limits"
}
  1. Checking for required labels in a Terraform AWS resource:
package main

deny[msg] {
  resource := input.resource.aws_instance[_]
  required_tags := ["environment", "project"]
  provided_tags := object.keys(resource.tags)
  missing_tags := required_tags - provided_tags
  count(missing_tags) > 0
  msg = sprintf("AWS instance is missing required tags: %v", [missing_tags])
}
  1. Ensuring a Docker image is not using the 'latest' tag:
package main

deny[msg] {
  input.kind == "Deployment"
  container := input.spec.template.spec.containers[_]
  endswith(container.image, ":latest")
  msg = sprintf("Container '%v' is using the 'latest' tag", [container.name])
}

Getting Started

To get started with Conftest:

  1. Install Conftest:

    brew install conftest
    
  2. Create a policy file (e.g., policy/deployment.rego):

    package main
    
    deny[msg] {
      input.kind == "Deployment"
      not input.spec.template.spec.containers[_].resources.limits
      msg = "Containers must have resource limits"
    }
    
  3. Test a configuration file:

    conftest test deployment.yaml
    

Competitor Comparisons

3,163

Validate your Kubernetes configuration files, supports multiple Kubernetes versions

Pros of kubeval

  • Simpler to use and understand, especially for those new to Kubernetes validation
  • Faster execution for basic validation tasks
  • Built-in support for multiple Kubernetes versions without additional configuration

Cons of kubeval

  • Less flexible and extensible compared to conftest's policy-based approach
  • Limited to Kubernetes manifests, while conftest can validate various configuration types
  • Lacks support for complex, custom validation rules

Code Comparison

kubeval example:

kubeval my-manifest.yaml

conftest example:

conftest test my-manifest.yaml

While both tools can validate Kubernetes manifests, conftest allows for more complex policy definitions:

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg = "Containers must not run as root"
}

kubeval focuses on schema validation, while conftest enables custom policy enforcement. conftest's approach is more powerful but requires learning Rego, the policy language. kubeval is simpler for basic validation tasks but less flexible for complex scenarios. Both tools have their place in a Kubernetes workflow, depending on the specific needs and expertise of the team.

6,388

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

Pros of Datree

  • User-friendly CLI interface with built-in policy checks
  • Integrates easily with CI/CD pipelines
  • Provides a centralized policy management dashboard

Cons of Datree

  • Limited to Kubernetes manifest validation
  • Requires a SaaS component, which may not be suitable for all environments
  • Less flexible than Conftest for custom policy creation

Code Comparison

Datree:

datree test ./kubernetes-manifests/* --schema-version 1.20.0

Conftest:

conftest test --policy policy.rego kubernetes-manifests/*

Both tools aim to validate configuration files, but Datree focuses specifically on Kubernetes manifests with pre-built rules, while Conftest offers more flexibility for custom policies across various configuration types. Datree provides a more streamlined experience for Kubernetes-specific checks, whereas Conftest allows for broader policy testing across different file formats and use cases.

Datree's approach is more opinionated and easier to get started with for Kubernetes users, while Conftest offers greater extensibility and customization options. The choice between the two depends on the specific needs of the project and the desired level of policy customization.

6,861

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

Pros of Checkov

  • Supports a wider range of infrastructure-as-code (IaC) formats, including Terraform, CloudFormation, Kubernetes, and more
  • Offers built-in policies for various compliance standards (e.g., CIS, HIPAA, SOC2)
  • Provides a graphical user interface through Bridgecrew platform integration

Cons of Checkov

  • Steeper learning curve due to its extensive feature set
  • May have slower execution times for large codebases compared to Conftest
  • Requires Python environment setup, which might be less convenient for some workflows

Code Comparison

Checkov:

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class MyCustomCheck(BaseResourceCheck):
    def __init__(self):
        name = "Ensure resource has required tags"
        check_id = "CKV_AWS_1"
        # ... (additional setup)

Conftest:

package main

deny[msg] {
    input.resource.aws_instance[name]
    not input.resource.aws_instance[name].tags.environment
    msg = sprintf("EC2 instance '%v' is missing required 'environment' tag", [name])
}
22,801

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Pros of Trivy

  • Comprehensive vulnerability scanning for containers, filesystems, and Git repositories
  • Built-in support for multiple operating systems and package managers
  • Faster scanning speed and lower resource consumption

Cons of Trivy

  • Limited policy-as-code capabilities compared to Conftest
  • Less flexibility in defining custom rules and policies
  • Primarily focused on security vulnerabilities, while Conftest offers broader configuration testing

Code Comparison

Trivy scan command:

trivy image alpine:3.10

Conftest test command:

conftest test deployment.yaml

Trivy focuses on vulnerability scanning, while Conftest is designed for policy testing. Trivy's output typically includes a list of vulnerabilities, while Conftest provides pass/fail results based on defined policies.

Trivy excels in comprehensive vulnerability scanning across various targets, making it ideal for security-focused workflows. Conftest, on the other hand, offers more flexibility in policy definition and testing, making it suitable for a wider range of configuration validation use cases.

Both tools have their strengths, and the choice between them depends on the specific requirements of your project and the scope of testing needed.

2,768

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

Pros of Dockle

  • Specialized for Docker image security scanning and linting
  • Includes built-in security checks and best practices for Docker images
  • Lightweight and easy to integrate into CI/CD pipelines

Cons of Dockle

  • Limited to Docker image analysis, less versatile than Conftest
  • Fewer customization options for policy definitions
  • Smaller community and ecosystem compared to OPA and Conftest

Code Comparison

Dockle usage:

dockle image:tag

Conftest usage:

conftest test deployment.yaml

Key Differences

Dockle focuses specifically on Docker image security and best practices, while Conftest is a more general-purpose tool for testing configuration files against policies. Dockle provides out-of-the-box checks for Docker images, whereas Conftest requires users to define their own policies using Rego language.

Conftest offers greater flexibility in terms of the types of files and configurations it can test, making it suitable for a wider range of use cases beyond Docker images. However, Dockle's specialized nature makes it easier to use for Docker-specific security checks without the need for custom policy writing.

Both tools can be integrated into CI/CD pipelines, but Dockle's Docker-centric approach may be more appealing for teams primarily focused on container security, while Conftest's versatility makes it a better choice for organizations with diverse configuration testing needs.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Conftest

Go Report Card Netlify

Conftest helps you write tests against structured configuration data. Using Conftest you can write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code, Serverless configs or any other config files.

Conftest uses the Rego language from Open Policy Agent for writing the assertions. You can read more about Rego in How do I write policies in the Open Policy Agent documentation.

Here's a quick example. Save the following as policy/deployment.rego:

package main

deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot

  msg := "Containers must not run as root"
}

deny[msg] {
  input.kind == "Deployment"
  not input.spec.selector.matchLabels.app

  msg := "Containers must provide app label for pod selectors"
}

Assuming you have a Kubernetes deployment in deployment.yaml you can run Conftest like so:

$ conftest test deployment.yaml
FAIL - deployment.yaml - Containers must not run as root
FAIL - deployment.yaml - Containers must provide app label for pod selectors

2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions

Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the documentation for installation instructions and more details about the features.

Want to contribute to Conftest?

For discussions and questions join us on the Open Policy Agent Slack in the #opa-conftest channel.