Skip to content
Latchkey

conftest test: Rego Policy Checks on Config

conftest test parses config files and evaluates Rego deny, warn, and violation rules against them, exiting 1 when any deny fires.

conftest wraps OPA so you can policy-check manifests, Terraform plans, Dockerfiles, and more without writing input plumbing. It parses the file, hands it to your Rego, and gates the pipeline on failures.

What it does

conftest test loads policies (default directory ./policy) and evaluates the deny, warn, and violation rules in the chosen namespace against each input file. deny and violation cause a non-zero exit; warn only prints. It auto-detects the parser from the file extension.

Common usage

Terminal
# test rendered manifests against ./policy
conftest test deployment.yaml
# use an explicit policy directory and namespace
conftest test --policy security/ --namespace kubernetes deployment.yaml
# test all namespaces and every YAML doc in a stream
conftest test --all-namespaces -p policy/ manifests.yaml

Options

FlagWhat it does
-p, --policy <path>Directory or file of Rego policies (default ./policy)
-n, --namespace <name>Rego package namespace to evaluate (default main)
--all-namespacesEvaluate every namespace found in the policies
--parser <name>Force a parser: yaml, json, hcl, dockerfile, toml
--combinePass all files as a single combined input document
-o, --output <fmt>Output: stdout, json, tap, table, junit, github

In CI

Run conftest test as a PR gate on rendered manifests (helm template ... | conftest test -). Use -o github for annotations in GitHub Actions and -o junit to archive results. Vendor policies in the repo so the check works offline; pull shared bundles with conftest pull if you centralize them.

Common errors in CI

A failing rule prints "FAIL - deployment.yaml - main - <your deny message>" followed by a totals line and exit 1. "no policies found in <dir>" means --policy points at the wrong path. "Found parse errors" with "error parsing ... yaml" means the file is not valid for the detected parser; set --parser explicitly. A "rego_parse_error" points at a broken policy file, not the input.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →