conftest test: Policy-Test Config with Rego
conftest test deployment.yaml checks config files against Rego policies and fails when a deny rule matches.
conftest runs Open Policy Agent Rego against any structured config (Kubernetes, Dockerfile, Terraform plan, JSON), so you can enforce org rules in CI without a cluster.
What it does
conftest test parses input files (YAML, JSON, HCL, Dockerfile, INI, and more), loads Rego policies from a policy directory, and evaluates the deny, violation, and warn rules against each document. A matched deny/violation fails the run; warn prints but does not fail (unless --fail-on-warn).
Common usage
# test a manifest against policies in ./policy
conftest test deployment.yaml
# point at a specific policy directory
conftest test --policy policies/ service.yaml
# test many files, only the "security" package
conftest test --namespace security k8s/*.yaml
# combine all docs of a multi-doc file
conftest test --combine deployment.yaml service.yamlOptions
| Flag | What it does |
|---|---|
| -p, --policy <dir> | Directory of Rego policies (default ./policy) |
| -n, --namespace <name> | Only evaluate rules in this Rego package |
| --all-namespaces | Evaluate every package found |
| --combine | Pass all inputs to policy as one array |
| --fail-on-warn | Treat warn results as failures |
| -o, --output table|json|tap|github | Result format |
| --data <path> | Extra data documents for policy |
In CI
conftest test exits non-zero when any deny/violation fires, so it fails the build on a policy breach out of the box. Commit policies under policy/ and run conftest test manifests/ in the pipeline; use -o github for annotations and --fail-on-warn to make warnings blocking.
Common errors in CI
A policy match prints FAIL - deployment.yaml - main - Containers must not run as root and a summary 2 tests, 0 passed, 2 failures. no policies found in [policy] means the --policy path has no .rego files. rego_parse_error: unexpected ... token is a syntax error in a policy. rego_type_error: undefined function input.foo means the input shape does not match what the rule expects.