opa eval: Evaluate Rego Policy in CI
opa eval -i input.json -d policy.rego "data.main.deny" evaluates a Rego query and can fail the build on the result.
opa eval is the Open Policy Agent CLI for running a Rego query against input and data documents, useful for ad hoc policy checks and gating pipelines.
What it does
opa eval compiles the Rego in the given data files (-d), binds an input document (-i), evaluates the query expression, and prints the result. With --fail it exits non-zero when the result is undefined; with --fail-defined it exits non-zero when the result is defined (useful for deny rules).
Common usage
# evaluate a deny query against input
opa eval -i input.json -d policy.rego "data.main.deny"
# fail the build if any deny result is produced
opa eval --fail-defined -i input.json -d policy/ \
"data.main.deny[x]"
# pretty output of a whole package
opa eval --format pretty -d policy/ "data.main"Options
| Flag | What it does |
|---|---|
| -i, --input <file> | Input document bound as input |
| -d, --data <path> | Rego and JSON/YAML data to load |
| --fail | Exit non-zero if the result is undefined/empty |
| --fail-defined | Exit non-zero if the result is defined |
| -f, --format pretty|json|raw | Output format |
| --stdin-input | Read the input document from stdin |
In CI
Pick the exit-code flag to match the intent: for a deny rule, --fail-defined fails the job when the query returns any violation. For a required-to-be-true check, --fail fails when the result is undefined. Either way the runner stops on a policy breach.
Common errors in CI
rego_parse_error: unexpected assign token and similar mark a syntax error in the .rego file. rego_type_error: undefined function input.foo means the query references data not present in the input. An empty {} result where you expected a violation usually means the query path is wrong (data.main.deny vs data.policy.deny). 1 error occurred: ... could not open file means -d points at a missing path.