Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.zenable.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Conftest tests structured configuration data against Rego policies. It supports many config formats and can validate consistency across multiple files using the --combine flag.

Capabilities

  • Tests YAML, JSON, HCL, Dockerfile, TOML, XML, INI, and many more formats
  • Cross-file analysis via --combine flag
  • deny, warn, and violation rule types
  • Structured error metadata via violation rules

Limitations

  • Tests structured config data, not application source code — check out Semgrep or CodeQL for source code analysis
  • Does not test runtime infrastructure state — check out InSpec or Goss for runtime validation

Cross-File Analysis

By default, conftest processes each file independently. The --combine flag merges all input files into a single array where each element has:
  • path: the file path
  • contents: the parsed file data
This enables policies that correlate data across files — e.g., verifying Deployment selectors match available Services, or ensuring config values are consistent across environments. 
# Each file tested independently
conftest test deployment.yaml service.yaml

# Files combined into single input array for cross-file checks
conftest test deployment.yaml service.yaml --combine

Generated Format

  • Language: Rego
  • Structure: Policy files in package main with deny/warn rules
  • Execution: conftest test <files> [--combine]

Example Guardrail

package main

# Single-file check
deny contains msg if {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg := sprintf("Deployment %s must run as non-root", [input.metadata.name])
}

# Cross-file check (requires --combine)
deny contains msg if {
  some i
  input[i].contents.kind == "Deployment"
  deploy := input[i].contents
  not has_matching_service(deploy)
  msg := sprintf("Deployment %s has no matching Service", [deploy.metadata.name])
}

has_matching_service(deploy) if {
  some j
  input[j].contents.kind == "Service"
  input[j].contents.spec.selector.app == deploy.spec.selector.matchLabels.app
}
Learn more at Conftest documentation and OPA Rego language.