Conftest

Jan 1, 0001

Definition

Conftest is a tool used to write tests against structured configuration data. It is commonly used to enforce policies and validate configurations in formats such as JSON, YAML, and HCL. By leveraging the Rego language from the Open Policy Agent (OPA), Conftest allows users to define custom policies that can be applied to configuration files, ensuring they meet security and compliance requirements before deployment.

Secure Settings Example

package main

deny[msg] {
  input.kind == "Deployment"
  input.spec.template.spec.containers[_].securityContext.runAsNonRoot != true
  msg = "Containers must not run as root"
}

Insecure Settings Example

package main

deny[msg] {
  input.kind == "Deployment"
  # Missing check for runAsNonRoot, allowing containers to run as root
  msg = "Containers must not run as root"
}

Conftest

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter