/awesome-opa

A curated list of OPA related tools, frameworks and articles

Creative Commons Zero v1.0 UniversalCC0-1.0

awesome-opa



A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles.

Contents

Official projects

Repositories

  • OPA - Open Policy Agent Github repository
  • Gatekeeper - Kubernetes admission controller using OPA
  • Conftest - Write tests against structured configuration data

Docs

  • OPA - Official OPA documentation
  • Styra Academy - Excellent OPA training courses
  • Gatekeeper - OPA Gatekeeper docs
  • Conftest - Conftest documentation
  • Rego Style Guide - Style guide for Rego, providing pointers on best practices for policy authoring
  • Regal Docs - Documentation for 60+ linter rules, providing an excellent reference for learning Rego

Blogs and Articles

  • OPA - Official blog for the OPA project
  • Logo - The OPA Logo in different versions

Policy Packages

  • Library - Community-owned policy library for OPA
  • Policy Hub CLI - CLI tool that makes Rego policies searchable
  • Rego policies - Rego policies from the the Red Hat community of practice
  • Appshield - Open Database of rego policies for common Infrastructure as Code files
  • Conftest policy packs - Collection of Conftest policies for "Compliance-as-Code" security policies and general engineering standards. Policies targeting Terraform, Dockerfiles, package.json (NodeJS) files, etc
  • Confectionary - A library of rules for Conftest used to detect Terraform misconfigurations.
  • Kubescape Rego library - Comprehensive set of Kubernetes policies from Kubescape
  • Kubernetes Security Policies - Raspernetes library for fortifying cluster configurations

Language and Platform Integrations

Java

Python

  • OPA Python - Python client library for Open Policy Agent
  • OPA Python client - Python client for OPA's REST API
  • Flask OPA - OPA client for the Flask microframework
  • Bottle Authorization - Custom Bottle Application Authorization
  • Rego Python - Python package for interacting with Rego
  • Sphinx Rego - Sphinx extension that automatically documents Rego policies
  • regopy - Python module which uses the C FFI for rego-cpp, allowing in-process Pythonic Rego policy evaluation
  • regorus - Evaluate Rego policies in Python using Regorus, a fast, lightweight Rego interpreter written in Rust.

Go

PHP

  • OPA Library for PHP - OPA client, a PSR-15 authorization middleware and a PSR-15 bundle distributor middleware

.NET

Node.js

Clojure

  • Jarl - Native evaluation of Rego in the JVM (written in Clojure), via OPA's IR format (blog)
  • clj-opa - Middleware and utilities for app authorization with OPA in Clojure

Docker

Containers

  • Konveyor Forklift Validation Service - VM migration suitability assessment to avoid migrating VMs that are not fit for Kubevirt. Rules are applied on all the VMs of the source provider (VMware) during the initial inventory collection, then whenever a VM configuration changes.

CPP

  • rego-cpp - Rego compiler and runtime implemented in C++. It provides a C FFI with Rust and Python bindings in addition to an extensible C++ implementation.
  • regorus - C++ bindings to Regorus, a fast, lightweight Rego interpreter written in Rust.

Rust

  • regorus - A fast, lightweight Rego interpreter written in Rust. In addition to bringing the power of Rego to Rust-only environments, it is intended as a platform for developing Rego tools and exploring Rego language enhancements.
  • regorust - Rust crate wrapping the C FFI for rego-cpp, allowing in-process Rego policy evaluation using idiomatic Rust.

Typescript

WebAssembly (Wasm)

  • NPM module - a small SDK for using WebAssembly compiled Open Policy Agent Rego policies
  • .NET Core Library - .NET SDK for calling Wasm-compiled OPA policies from .NET Core
  • OpaDotNet - Open Policy Agent (OPA) WebAssembly dotnet core SDK
  • OpaDotNet.Compilation - dotnet core backend for packaging Open Policy Agent Rego policies and data files into WASM policy bundles
  • Python Library - Open Policy Agent WebAssembly SDK for Python
  • Go SDK - a small Go library for using WebAssembly compiled Open Policy Agent Rego policies
  • JVM - Java SDK for calling Wasm-compiled policies. Uses wasmtime.
  • Rust - A crate to use OPA policies compiled to Wasm.
  • regorus - Evaluate Rego policies in WASM using Regorus. Try it out at Regorus Playground.

WebAssembly Blogs and Articles

Docs

  • Wasm - Official docs on WebAssembly for OPA

Built with Wasm

  • OPA Wasm demo - Demonstration of evaluating OPA's Wasm modules in the browser
  • Snyk CLI - Test Infrastructure as Code source code for security misconfigurations and best practices in the local console. The npm-opa-wasm library is used to run WASM bundle of Rego policies to detect misconfiguration.
  • regorus - Evaluate Rego policies in WASM using Regorus. Try it out at Regorus Playground.

Kubernetes

  • Gatekeeper - A validating and mutating webhook that enforces CRD-based policies executed by OPA for Kubernetes
  • Gatekeeper Policy Library - A collection of constraint templates and sample constraints that you can use with Gatekeeper
  • Konstraint - CLI tool for working with templates and constraints when using Gatekeeper
  • Red Hat Rego Policies - Red Hat Rego policies collection
  • Gatekeeper Policy Manager - Web UI for Gatekeeper policies
  • Validating and Mutating Admission Control Example - Example validating and mutation admission controller
  • MagTape - OPA-based admission controller for policy enforcement
  • Meshery - Meshery leverages built-in relationships to enforce Kubernetes configuration best practices and enhances the development process through custom rules in OPA's Rego query language
  • Admission policy development - OPA Kubernetes validation and mutation testing environment
  • Gatekeeper Conftest plugin - A Conftest plugin that transforms input objects to be compatible with OPA Gatekeeper policies.
  • Cosign Gatekeeper Provider - Cosign Provider a new provider of OPA Gatekeeper's ExternalData feature to verify container images
  • Kubescape - Kubescape is tool for scanning Kubernetes clusters for security issues. Kubescape tests (rules) are based completely on OPA. See the regos here
  • Kove - Watch your in-cluster Kubernetes manifests for OPA policy violations and export them as Prometheus metrics
  • GKE Policy Automation - Tool and policy library for reviewing GKE clusters against best practices
  • kube-mgmt - Sidecar providing data from Kubernetes to OPA. Includes Helm charts for both projects

Service Mesh Authorization

  • OPA Envoy Plugin - The OPA Envoy Plugin (compatible with Envoy, Istio, Gloo Edge, more)
  • Open Service Mesh - Envoy based service mesh using OPA for external authorization
  • Kuma - OPA for Kuma service mesh
  • Kong Mesh - OPA for Kong Mesh authorization (docs)

Blogs and Articles

Nomad

  • Nomad Admission Control Proxy - An admission controller that can be used as a proxy to Nomad's API for mutation and validation with builtin OPA support.

Datasource Integrations

Datasource Integrations Blogs and Articles

IDE and Editor Integrations

  • VS Code plugin - Develop, test, debug, and analyze policies for OPA in VS Code
  • IntelliJ plugin - OPA plugin for the IntelliJ IDE
  • Zed Extension - Zed extension for OPA and Rego leveraging Regal
  • Emacs - Emacs Major mode for working with Rego
  • Vim - Vim plugin for the Rego language, with support for syntax highlighting
  • Null-ls - Use Neovim as a language server to inject LSP diagnostics, code actions, and more. Supports linting rego files.
  • Atom - Syntax highlighting for the Atom editor
  • CodeMirror - Rego mode and minimal key map for CodeMirror
  • TextMate - Syntax highlighting for TextMate
  • Sublime - Syntax highlighting for Sublime
  • Nano - Syntax highlighting for Nano
  • Prism - Prism is a lightweight, extensible syntax highlighter, built with modern web standards in mind (supports Rego)
  • tree-sitter-rego - Tree-sitter grammar for Rego (blog)
  • highlight.js - Rego syntax support for highlight.js

Infrastructure as Code

  • OPA AWS CloudFormation Hook - AWS CloudFormation Hook calling OPA for policy decisions. See also tutorial.
  • TFLint OPA Ruleset - Write custom TFLint rules in Rego
  • Infracost - Infracost generates cloud cost estimates for Terraform and integrates with OPA, it can be used to write cost policies
  • Regula - Evaluates Terraform code for potential security misconfigurations and compliance violations.
  • Example Terraform policies - Example Terraform policies
  • Terrascan - 500+ Policies written in OPA for security best practices.
  • KICS - Keeping Infrastructure as Code Secure or KICS scans IaC projects for security vulnerabilities, compliance issues, and infrastructure misconfiguration. Currently working with Terraform projects, Kubernetes manifests, Dockerfiles, AWS CloudFormation Templates, and Ansible playbooks.
  • Trivy - Scan your code and artifacts for known vulnerabilities and misconfiguration issues.
  • Terraform OPA IBM - Terraform policy library for IBM Cloud
  • GCP policy guardrails for Terraform - Rego reference policy library for GCP controls (originally from forseti). Originally used by terraform-validator and now on gcloud beta terraform vet. More info at Policy Validation
  • Pulumi OPA Bridge for CrossGuard - This project allows OPA rules to be run in the context of Pulumi's policy system, CrossGuard

Infrastructure as Code Blogs and Articles

Serverless

Serverless Blogs and Articles

Testing

  • rego-test-assertions - Helper library for working with assertions in Rego unit tests
  • kube-review - CLI tool to quickly create AdmissionReview requests from Kubernetes resources
  • gator CLI - Command line unit test runner for OPA Gatekeeper
  • ocov - Colors opa test --coverage reports in the terminal
  • opa-codecov - Convert OPA test coverage report to a JSON format supported by Codecov
  • github-action-opa-rego-test - GitHub Action to automate testing for your OPA Rego policies and generates a report.

Testing Blogs and Articles

Tools and Utilities

  • Regal - Regal is a linter for Rego, with the goal of making your Rego magnificent! (blog)
  • setup-opa - GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflows
  • Fregot - Alternative REPL implementation for Rego
  • OPA pre-commit - Pre-commit hooks for OPA/Rego/Conftest development
  • Monitor OPA Gatekeeper - Monitoring implementation guide for OPA Gatekeeper (blog)
  • OpenAPI to Rego - Generate Rego code given an OpenAPI 3.0 Specification
  • Temporal reasoning with OPA - Examples for working with time in Rego
  • OPAL - Realtime policy and data updates for your OPA agents on top of websockets pub/sub
  • OPA Action - OPA Pull-Request Assessor is a GitHub Action that checks files against policies configured in the same repo
  • OPA Schema Examples - Examples of extending the OPA type checker with JSON schemas
  • Open Policy Containers - Secure software supply chains for OPA policies. Push, pull, tag, test, version, and sign OPA policies.
  • Snyk IaC Rules - Maintain library of Rego rules, run integration tests and build WASM bundles for distribution of rules. The OPA libraries are used to build WASM bundles.
  • Topaz - Topaz is an open-source application authorization project that uses OPA as the decision engine and supports Rego policies.
  • opactl - A simple tool to turn your Rego rule into CLI command (blog)
  • alfred - A self-hosted OPA Playground Alternative
  • Rönd - Rönd is a lightweight container that distributes security policy enforcement throughout your application
  • rq (Rego Query) - jq-inspired tool to bring Rego to your shell pipelines
  • opa-explorer - Visual tool for exploring the different compilation stages of the OPA topdown compiler
  • mcov - A tool that'll check your Rego source files and report the minimum compatible OPA version required
  • dependency-management-data (DMD) is a set of tooling to get a better understanding of the use of dependencies across your organisation. DMD supports using Open Policy Agent to write more complex rules around dependency usage than can be done using the SQL interface.

Other Usecases

  • SansShell - A non-interactive daemon for host management, where any action is authorized by OPA
  • goast - Go AST (Abstract Syntax Tree) based static analysis tool using Rego
  • ScubaGear - Using Rego policies to assess the security posture of M365 tenants, by CISA
  • Reposaur - Audit, verify and report on development platforms (GitHub and others) easily with pre-defined and/or custom policies.
  • backstage-opa-plugins - Plugins for integrating OPA with Backstage, including OPA-based authorisation.

Fun and Quirky

Support and Community

  • Styra - Commercial support, and tools for managing OPA at scale, by the creators of OPA
  • Stack Overflow - Stack Overflow OPA section
  • OPA Slack - Open Policy Agent Slack workspace
  • GitHub Discussions - Open Policy Agent Discussion Board

Recommended Reading

People

Maintainers

Community Stars

Meetup Groups

Commercial Tools

  • Styra DAS - Styra Declarative Authorization Service, from the creators of OPA
  • Enterprise OPA - Enterprise-grade authorization engine for data-heavy workloads
  • Scalr - Collaboration and Automation for Terraform, backed by OPA
  • Fairwinds Insights - Run OPA policies consistently across CI/CD, Admission Control, and an multi-cluster scanner
  • Snyk IaC - Test Infrastructure as Code source code repositories for security misconfigurations and best practices. The OPA golang libraries are used to evaluate Rego policies to detect misconfigurations in the repositories.
  • Spacelift: Flexible management platform for Infrastructure as Code, backed by OPA
  • env0: Infrastructure as Code automation platform, with OPA extensibility.

Contributing

Built a great OPA integration or wrote an interesting blog or article on the topic? Submit a PR! Please just make sure to include something that describes how the project uses OPA, or how OPA is otherwise related.

Community

For questions, discussions and announcements related to Styra products, services and open source projects, please join the Styra community on Slack!