Home

Awesome

OPA-action

I contributed to open-policy-agent/conftest with GitHub flavored output.

Now you can simply use Conftest directly which makes this action obsolete.

---
name: Conftest

on:
  pull_request:
    branches: 
      - main

jobs:
  conftest:
    runs-on: ubuntu-latest
    container: openpolicyagent/conftest:latest
    steps:
      - name: Code checkout
        uses: actions/checkout@v2
      - name: Validate Kubernetes policy
        run: |
          conftest test -o github -p examples/kubernetes/policy examples/kubernetes/deployment.yaml

The -o github will be responsible for annotating the files where policy violations are found.

Archived readme

OPA stands for OPA Pull-Request Assessor and is a GitHub Action that checks files against policies (configured in the same repo). It's using the original OPA (Open Policy Agent) through the use of Conftest.

Usage

Start using this OPA-action in three simple steps:

  1. Create your policies
  2. Create a configuration
  3. Trigger GitHub Action

Create your policies

Create a folder (i.e. policies) with your policy files written in the Rego language. For sample policies, check out the Conftest examples or write your own using Rego, the OPA Policy Language.

Create a configuration

Configure in either .opa-action.yaml or .github/opa-action.yaml where your policy files can be found (path, the folder you created in the step before) followed by pairs of files or filepatterns (sources) and the package/namespace (package) the files should be tested against and optionally if this should not fail the check (no_fail, default or absense means 'false' and will fail the check on errors).

---
path: policy
rego:
  - sources: "Dockerfile"
    package: "docker"
    no_fail: true
  - sources: ".github/workflows/*.yml"
    package: "workflows"

Trigger GitHub Action

Add the GitHub Action to your workflows, either on its own as a separate workflow or add it as an action between the code checkout and the rest of your existing workflow.

---
name: Policy check

on:
  pull_request:
    branches: 
      - main

jobs:
  policy-check:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v2
      - name: OPA Pull-Request Assessor
        uses: koozz/opa-action@latest

If your satisfied, follow best practices and pin the action to a specific version.

License

Apache License, Version 2.0