Open Policy Agent (OPA)
Open Policy Agent (OPA) OPA is the general-purpose policy engine that evaluates custom Rego rules against JSON inputs for decisions in APIs, Kubernetes, or CI/CD, enforcing fine-grained access or compliance checks. Write policies in its declarative language, query via REST or CLI for runtime enforcement, and test with rego playground. Open-source from Styra, it's the rule reactor for devs templating decisions across services without hardcoding.
Explore →Kyverno
Kyverno Kyverno is the Kubernetes-native policy engine that applies custom YAML rules to validate, mutate, or generate resources, blocking non-compliant deploys with webhook admissions. Define policies for RBAC or image scans, apply via kubectl, and audit violations in events. Open-source from Nirmata, it's the cluster curator for operators crafting declarative guards around custom workflows.
Explore →Falco
Falco Falco is the cloud-native runtime engine for custom syscall rules in YAML, detecting anomalies like container escapes or file tampering with eBPF hooks for low-overhead enforcement. Tune rules for your env, stream alerts to Kafka, and extend with Lua for complex logic. Open-source from Sysdig, it's the behavior bouncer for security pros templating detections in dynamic infrastructures.
Explore →Gatekeeper
Gatekeeper Gatekeeper is the OPA-powered Kubernetes admission controller for enforcing custom policies as CRDs, validating resources against Rego for consistent cluster governance. Install via Helm, author ConstraintTemplates, and audit violations in status fields. Open-source from Sigstore, it's the policy porter for K8s admins porting custom rules into native enforcement.
Explore →Sentinel
Sentinel Sentinel is HashiCorp's policy-as-code engine for custom HCL rules in Terraform or Vault, enforcing compliance with flow controls and testing via sentinel CLI for dry runs. Define policies for resource limits, import into workspaces, and integrate with CI for gated merges. Open-source from HashiCorp, it's the decision delegator for IaC pros templating guardrails in infra pipelines.
Explore →OPA Bundle
OPA Bundle OPA Bundle is the packaging tool for bundling custom Rego policies with data into deployable artifacts, enabling air-gapped or versioned rule distribution in edge or cloud setups. Build bundles via opa commands, serve them to agents, and update dynamically without restarts. Open-source extension, it's the policy packer for distributed teams templating scalable enforcement.
Explore →Conftest
Conftest Conftest is the OPA CLI for testing custom policies against YAML/JSON configs like K8s manifests or Terraform plans, validating before commit with integrated scans. Write Rego, run conftest test on files for pass/fail outputs, and hook into git pre-commit. Open-source from Styra, it's the policy proofreader for devs templating early feedback in code reviews.
Explore →CUE
CUE CUE is the data validation language with custom rule engines for defining schemas and constraints on YAML/JSON, enforcing structure in configs or APIs with type-safe checks. Compile cuesheets, validate inputs via CLI, and embed in tools for runtime guards. Open-source from CUE project, it's the constraint crafter for engineers templating data integrity across pipelines.
Explore →Checkov
Checkov Checkov is the IaC policy engine with custom YAML/Rego rules for scanning Terraform or CloudFormation, flagging drifts or non-compliance in pre-deploy workflows. Run via pip install on dirs, extending with bridges to OPA for hybrid checks. Open-source from Bridgecrew, it's the infra inspector for cloud pentesters templating scans into devsecops gates.
Explore →Custom Rule Engine (CRE)