What is policy as code?

Policy as code encodes governance rules as machine‑readable code (e.g., OPA, Kyverno, Checkov) and enforces them automatically during deployment and operations.

How does enforcement work?

Policy violations can fail CI builds or deployment gates, trigger alerts, or switch to a warning mode during gradual rollout, providing auditable results.

Which tools are involved?

OPA for rego-based policies, Kyverno for Kubernetes, and Checkov for Terraform/IaC checks; Sentinel can be part of the ecosystem where supported.

policy-as-code

Scanned

npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/policy-as-code --openclaw

Files (1)

SKILL.md

1.4 KB

Policy as Code

Automate policy enforcement through code.

Open Policy Agent (OPA)

# deny_public_buckets.rego
package terraform.s3

deny[msg] {
    resource := input.resource.aws_s3_bucket[name]
    resource.acl == "public-read"
    msg := sprintf("S3 bucket '%s' has public ACL", [name])
}

Kyverno (Kubernetes)

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Label 'app' is required"
      pattern:
        metadata:
          labels:
            app: "?*"

Checkov

# Scan Terraform
checkov -d . --framework terraform

# Custom check
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

class S3Encryption(BaseResourceCheck):
    def scan_resource_conf(self, conf):
        return CheckResult.PASSED if 'encryption' in conf else CheckResult.FAILED

Best Practices

Version control policies
Test policies in CI
Gradual rollout (warn → enforce)
Exception management

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/governance/policy-as-code/SKILL.md

View on GitHub

Overview

Policy as Code automates enforcement through code. It uses OPA's rego rules for cloud resources, Kyverno for Kubernetes policies, and Checkov for Terraform checks to automate compliance in CI/CD and infrastructure. This approach enables auditable, repeatable governance across environments.

How This Skill Works

Policies are authored in declarative policy languages (OPA's rego and Kyverno manifests) and evaluated against resource inputs during deployments or scans. OPA evaluates inputs like Terraform plans; Kyverno enforces cluster policies in Kubernetes; Checkov validates Terraform configurations. Integrated into CI/CD gates, policy violations can fail builds or deployments, enabling automated enforcement with traceable results.

When to Use It

Automate policy enforcement in CI/CD pipelines to catch misconfigurations before deployment
Enforce Kubernetes governance, Pod labeling, and security controls with Kyverno
Scan Terraform and IaC with Checkov and OPA policies to prevent unsafe configurations
Enforce compliance standards across cloud resources with auditable policy decisions
Roll out policies gradually (warn → enforce) and manage exceptions with audit trails

Quick Start

Step 1: Write policies in OPA (rego) for cloud resources and Kyverno manifests for Kubernetes
Step 2: Integrate policy checks into your CI/CD pipeline and IaC scans (Checkov/OPA)
Step 3: Run checks locally or in CI, fix violations, and monitor policy compliance

Best Practices

Version-control all policies and policy modules
Test policies in CI with synthetic resources and test data
Use a phased rollout: start with warn, then enforce
Design modular, reusable policy components (rego rules, Kyverno patterns)
Maintain clear exception handling and policy audit logs

Example Use Cases

Deny S3 buckets with public ACLs using OPA (rego) policy
Require labels on Kubernetes Pods via Kyverno ClusterPolicy
Scan Terraform with Checkov to catch misconfigurations before apply
Create a custom Checkov check to enforce resource encryption
Gate deployments in CI/CD with policy checks to ensure compliance

Frequently Asked Questions

Add this skill to your agents