conftest verify and pull: Manage Rego Policies
conftest verify runs the test rules (test_...) in your Rego policies so you can trust the policies before they gate config.
Policies are code, so test them. conftest verify runs the test_ rules in a policy directory; conftest pull fetches a shared policy bundle from a registry.
What it does
conftest verify loads a policy directory and executes every rule whose name starts with test_, reporting pass/fail like a unit-test runner. conftest pull downloads a policy bundle from an OCI registry or URL into the policy directory so multiple repos can share one rule set.
Common usage
# run the policy unit tests
conftest verify --policy policies/
# pull a shared policy bundle, then test config with it
conftest pull ghcr.io/acme/policies:latest
conftest test --policy policy deployment.yaml
# verify with extra data documents
conftest verify --policy policies/ --data data/Options
| Flag / cmd | What it does |
|---|---|
| verify | Run test_ rules in the policy dir |
| pull <ref> | Download a policy bundle into ./policy |
| -p, --policy <dir> | Policy directory |
| --data <path> | Additional data documents |
| -o json|tap|table | Output format for verify results |
| --report full|notes|fails | Detail level for verify |
In CI
Run conftest verify before conftest test in the pipeline: verify fails (non-zero) if a policy unit test breaks, so you never enforce a policy whose own tests are red. Cache pulled bundles so an offline runner still has the rules.
Common errors in CI
FAIL - policies/deny_test.rego - test_deny_root with a summary of failures means a policy unit test broke. no test rules found means no rule starts with test_. On pull, failed to pull ... unauthorized means missing registry credentials; log in first. rego_parse_error in verify is a syntax error in the policy under test.