Skip to content
Latchkey

conftest verify: Unit Test Conftest Policies

conftest verify executes the test_ rules inside your policy directory, confirming the policies behave before you gate real config on them.

Where conftest test checks config against policy, conftest verify checks the policy itself. It runs your Rego unit tests so a change to a deny rule cannot silently start passing or failing.

What it does

conftest verify loads the policy directory and evaluates every rule whose name begins with test_ , the same convention opa test uses. A test that evaluates to false or errors fails the run and produces a non-zero exit. It does not take input files; the tests supply their own data.

Common usage

Terminal
# run policy unit tests in ./policy
conftest verify
# point at a specific policy directory
conftest verify --policy security/
# emit a coverage-style report
conftest verify -p policy/ --report full

Options

FlagWhat it does
-p, --policy <path>Policy directory containing test_ rules
--report <mode>Report detail: full, notes, fails
-o, --output <fmt>Output format: stdout, json, tap, table, junit
--data <path>Additional data documents to load for the tests

In CI

Run conftest verify in the policy repo on every change to the rules, and run conftest test in consumer repos against real manifests. Keeping the two separate means a policy regression fails in the policy repo, not mysteriously in a downstream service pipeline.

Common errors in CI

A failing assertion prints "FAIL - <package> - test_<name>" with a totals line and exit 1. "no policies found" means --policy is wrong or the directory has no .rego files. "rego_parse_error" means a policy file will not compile. If the summary shows 0 tests run, the rules are not prefixed test_ or live outside the given path.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →