Skip to content
Latchkey

conftest verify and pull: Manage Rego Policies

conftest verify runs the test rules (test_...) in your Rego policies so you can trust the policies before they gate config.

Policies are code, so test them. conftest verify runs the test_ rules in a policy directory; conftest pull fetches a shared policy bundle from a registry.

What it does

conftest verify loads a policy directory and executes every rule whose name starts with test_, reporting pass/fail like a unit-test runner. conftest pull downloads a policy bundle from an OCI registry or URL into the policy directory so multiple repos can share one rule set.

Common usage

Terminal
# run the policy unit tests
conftest verify --policy policies/

# pull a shared policy bundle, then test config with it
conftest pull ghcr.io/acme/policies:latest
conftest test --policy policy deployment.yaml

# verify with extra data documents
conftest verify --policy policies/ --data data/

Options

Flag / cmdWhat it does
verifyRun test_ rules in the policy dir
pull <ref>Download a policy bundle into ./policy
-p, --policy <dir>Policy directory
--data <path>Additional data documents
-o json|tap|tableOutput format for verify results
--report full|notes|failsDetail level for verify

In CI

Run conftest verify before conftest test in the pipeline: verify fails (non-zero) if a policy unit test breaks, so you never enforce a policy whose own tests are red. Cache pulled bundles so an offline runner still has the rules.

Common errors in CI

FAIL - policies/deny_test.rego - test_deny_root with a summary of failures means a policy unit test broke. no test rules found means no rule starts with test_. On pull, failed to pull ... unauthorized means missing registry credentials; log in first. rego_parse_error in verify is a syntax error in the policy under test.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →