awesome-opa
A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles.
Contents
- Official Projects
- Policy Packages
- Language and Platform Integrations
- WebAssembly (Wasm)
- Kubernetes
- Datasource Integrations
- IDE and Editor Integrations
- Infrastructure as Code
- Serverless
- Tools and Utilities
- Support and Community
- Recommended Reading
- Commercial Tools
- Contributing
Official projects
Repositories
- OPA - Open Policy Agent Github repository
- Gatekeeper - Kubernetes admission controller using OPA
- Conftest - Write tests against structured configuration data
Docs
- OPA - Official OPA documentation
- Styra Academy - Excellent OPA training courses
- Gatekeeper - OPA Gatekeeper docs
- Conftest - Conftest documentation
Blogs and Articles
Policy Packages
- Library - Community-owned policy library for OPA
- Policy Hub CLI - CLI tool that makes Rego policies searchable
- Rego policies - Rego policies from the the Red Hat community of practice
- Appshield - Open Database of rego policies for common Infrastructure as Code files
- Conftest policy packs - Collection of Conftest policies for "Compliance-as-Code" security policies and general engineering standards. Policies targeting Terraform, Dockerfiles, package.json (NodeJS) files, etc
- Confectionary - A library of rules for Conftest used to detect Terraform misconfigurations.
Language and Platform Integrations
Java
- Java - Generic Java client to query OPA's REST API
- Spring Security - OPA Spring Security Library
- Spring Security Reactive - OPA with Spring Security Reactive
- Gradle - OPA plugin for Gradle
- Thunx - Thunx is a pluggable ABAC system using OPA, Spring Cloud Gateway and Spring Data REST
Python
- OPA Python client - Python client for OPA's REST API
- Flask OPA - OPA client for the Flask microframework
- Bottle Authorization - Custom Bottle Application Authorization
- Rego Python - Python package for interacting with Rego
- Sphinx Rego - Sphinx extension that automatically documents Rego policies
Go
- Go Example API Authorization - Example API authorization using OPA
PHP
- OPA Library for PHP - OPA client, a PSR-15 authorization middleware and a PSR-15 bundle distributor middleware
.NET
- ASP.NET Core - ASP.NET Core authorization middleware
Node.js
- OPA Express - OPA client for the Express framework
Clojure
- Clojure - Middleware and utilities for app authorization with OPA in Clojure
Docker
- OPA Docker authorization - OPA to help policy-enable an existing services
- Docker Security Checker - OPA Rego policies for Dockerfile Security checks using Conftest (blog)
- Dockerfile security - A collection of OPA rules to statically analyze Dockerfiles to improve security
Containers
- Konveyor Forklift Validation Service - VM migration suitability assessment to avoid migrating VMs that are not fit for Kubevirt. Rules are applied on all the VMs of the source provider (VMware) during the initial inventory collection, then whenever a VM configuration changes.
WebAssembly (Wasm)
- NPM module - a small SDK for using WebAssembly compiled Open Policy Agent Rego policies
- .NET Core Library - .NET SDK for calling Wasm-compiled OPA policies from .NET Core
- Python Library - Open Policy Agent WebAssembly SDK for Python
- Go SDK - a small Go library for using WebAssembly compiled Open Policy Agent Rego policies
- JVM - Java SDK for calling Wasm-compiled policies. Uses wasmtime.
Docs
- Wasm - Official docs on WebAssembly for OPA
Built with Wasm
- OPA Wasm demo - Demonstration of evaluating OPA's Wasm modules in the browser
- Snyk CLI - Test Infrastructure as Code source code for security misconfigurations and best practices in the local console. The npm-opa-wasm library is used to run WASM bundle of Rego policies to detect misconfiguration.
Kubernetes
- Konstraint - CLI tool for working with templates and constraints when using Gatekeeper
- Deprek8ion - A set of rego policies to monitor Kubernetes APIs deprecations
- Rego Policies - Gatekeeper policies collection
- Gatekeeper Policy Manager - Web UI for Gatekeeper policies
- Validating and Mutating Admission Control Example - Example validating and mutation admission controller
- MagTape - OPA-based admission controller for policy enforcement
- Admission policy development - OPA Kubernetes validation and mutation testing environment
- Gatekeeper Conftest plugin - A Conftest plugin that transforms input objects to be compatible with OPA Gatekeeper policies.
- Cosign Gatekeeper Provider - Cosign Provider a new provider of OPA Gatekeeper's ExternalData feature to verify container images
- Kubescape - Kubescape is tool for scanning Kubernetes clusters for security issues. Kubescape tests (rules) are based completely on OPA. See the regos here
- Kove - Watch your in-cluster Kubernetes manifests for OPA policy violations and export them as Prometheus metrics
Service Mesh Authorization
- OPA Envoy Plugin - The OPA Envoy Plugin (compatible with Envoy, Istio, Gloo Edge, more)
- Open Service Mesh - Envoy based service mesh using OPA for external authorization
- Kuma - OPA for Kuma service mesh
- Kong Mesh - OPA for Kong Mesh authorization (docs)
Blogs and Articles
- Policy Enabled Kubernetes with OPA - Guide on setting up OPA for kubernetes admission control
- Integrating OPA with Kubernetes - Comprehensive introduction to OPA and Gatekeeper
- Using OPA on EKS - Using Open Policy Agent on Amazon EKS
- OPA and Gatekeeper - Comparison between OPA and Gatekeeper with lots of useful information
- Kubernetes Authorization - Guide on using OPA for Kubernetes authorization
- Gatekeeper in a CI/CD pipeline - Guide on how to setup your CI environment to test your Kubernetes configuration against your policy in a CI environment as part of a GitOps strategy
- Verifying container signatures on Kubernetes with Gatekeeper - Verifying container signatures on Kubernetes with Gatekeeper
- Gator CLI - Testing Gatekeeper constraints with Gator CLI
Datasource Integrations
- Kafka Authorizer - Kafka authorizer plugin with example policies
- Data Filtering on Spring Data - Data filtering for MongoDB and JPA using OPA
- Elasticsearch - OPA-Elasticsearch Data Filtering Example
- Strimzi - Kafka in kubernetes, with built-in support for OPA as authorizer
- Google Calendar - Integrating OPA with the Google Calendar API
Datasource Integrations Blogs and Articles
- Google Calendar Integration - The Power of Data: Calendar-based Policy Enforcement
IDE and Editor Integrations
- VS Code plugin - Develop, test, debug, and analyze policies for OPA in VS Code
- IntelliJ plugin - OPA plugin for the IntelliJ IDE
- Emacs - Emacs Major mode for working with Rego
- Vim - Vim plugin for the Rego language, with support for syntax highlighting
- Atom - Syntax highlighting for the Atom editor
- CodeMirror - Rego mode and minimal key map for CodeMirror
- TextMate - Syntax highlighting for TextMate
- Sublime - Syntax highlighting for Sublime
- Nano - Syntax highlighting for Nano
- Prism - Prism is a lightweight, extensible syntax highlighter, built with modern web standards in mind (supports Rego)
Infrastructure as Code
- Infracost - Infracost generates cloud cost estimates for Terraform and integrates with OPA, it can be used to write cost policies
- Regula - Evaluates Terraform code for potential security misconfigurations and compliance violations.
- Example Terraform policies - Example Terraform policies
- Terrascan - 500+ Policies written in OPA for security best practices.
- KICS - Keeping Infrastructure as Code Secure or KICS scans IaC projects for security vulnerabilities, compliance issues, and infrastructure misconfiguration. Currently working with Terraform projects, Kubernetes manifests, Dockerfiles, AWS CloudFormation Templates, and Ansible playbooks.
- Trivy - Scan your code and artifacts for known vulnerabilities and misconfiguration issues.
- Terraform OPA IBM - Terraform policy library for IBM Cloud
Infrastructure as Code Blogs and Articles
- Using OPA with Pulumi CrossGuard - Authoring Pulumi CrossGuard Policy with OPA
- AWS CDK with OPA - Realize Policy-as-Code with AWS Cloud Development Kit through Open Policy Agent
- Kubernetes Authorization - Kubernetes Authorization via Open Policy Agent
Serverless
- OPA Lambda Extension Plugin - A custom plugin for running OPA in AWS Lambda as a Lambda Extension
Serverless Blogs and Articles
- Serverless Policy Enforcement - Connecting Open Policy Agent and AWS Lambda
- Lambda Authorizer - Creating a custom Lambda authorizer using Open Policy Agent
Tools and Utilities
- Fregot - Alternative REPL implementation for Rego
- OPA pre-commit - Pre-commit hooks for OPA/Rego/Conftest development
- Monitor OPA Gatekeeper - Monitoring implementation guide for OPA Gatekeeper (blog)
- OpenAPI to Rego - Generate Rego code given an OpenAPI 3.0 Specification
- Temporal reasoning with OPA - Examples for working with time in Rego
- OPAL - Realtime policy and data updates for your OPA agents on top of websockets pub/sub
- OPA Action - OPA Pull-Request Assessor is a GitHub Action that checks files against policies configured in the same repo
- OPA Schema Examples - Examples of extending the OPA type checker with JSON schemas
- Snyk IaC Rules - Maintain library of Rego rules, run integration tests and build WASM bundles for distribution of rules. The OPA libraries are used to build WASM bundles.
- kube-review - CLI tool to quickly create AdmissionReview requests from Kubernetes resources
Support and Community
- Styra - Commercial support, and tools for managing OPA at scale, by the creators of OPA
- Stack Overflow - Stack Overflow OPA section
- OPA Slack - Open Policy Agent Slack workspace
- GitHub Discussions - Open Policy Agent Discussion Board
Recommended Reading
- OPA Guidebook - Open source, free book on Open Policy Agent, by Sangkeon Lee (source code)
- Microservices Security in Action - Book on micorservices security, with dedicated section covering OPA. Freely available online.
- Fugue - 5 tips for using the Rego language for Open Policy Agent
- Integration - How we integrated our purely functional Scala backend with the Open Policy Agent
Maintainers
- @OpenPolicyAgent - Official OPA account
🌎 - @sometorin - Torin Sandall
🇨🇦 - OPA co-creator - @tlhinrichs - Tim Hinrichs
🇺🇸 - OPA co-creator - @ashtalk - Ash Narkar
🇺🇸 - OPA maintainer - @johanfylling - Johan Fylling
🇸🇪 - OPA maintainer - @anderseknert - Anders Eknert
🇸🇪 - OPA developer advocate - @peteroneilljr - Peter O'Neill
🌎 - OPA community advocate - @ritazzhang - Rita Zhang
🇺🇸 - Gatekeeper maintainer - @sozercan - Sertaç Özercan
🇺🇸 - Gatekeeper maintainer - @willbeason - Will Beason
🇺🇸 - Gatekeeper maintainer - @johnpreese - John Reese
🇺🇸 - Conftest maintainer
Community Stars
- @m_mizutani - Masayoshi Mizutani
🇯🇵 - Security engineer. Prolific OPA & Rego advocate - @Hiroyuki_OSAKI - Roy Hiroyuki OSAKI
🇺🇸 - Research engineer. OPA community contributor - @charlieegan3 - Charlie Egan
🇬🇧 - OPA contributor and active community member - @developerguyba - Batuhan Apaydin
🇹🇷 - Active member in OPA and many CNCF projects - @nmeisenzahl - Nico Meisenzahl
🇩🇪 - Frequently tweets and talks about OPA and cloud native topics - @jaspervdj-luminal - Jasper Van der Jeugt
🇨🇭 - OPA contributor
Commercial Tools
- Styra DAS - Styra Declarative Authorization Service, from the creators of OPA
- Scalr - Collaboration and Automation for Terraform, backed by OPA
- Fairwinds Insights - Run OPA policies consistently across CI/CD, Admission Control, and an multi-cluster scanner
- Snyk IaC - Test Infrastructure as Code source code repositories for security misconfigurations and best practices. The OPA golang libraries are used to evaluate Rego policies to detect misconfigurations in the repositories.
- Spacelift: Flexible management platform for Infrastructure as Code, backed by OPA
Contributing
Built a great OPA integration or wrote an interesting blog or article on the topic? Submit a PR!