Verified steps

Install `conftest` via the official release binary or Homebrew
Write a Rego policy in `policy/sbom.rego` that denies an SBOM if any component has no PURL or if the `bomFormat` is missing
Run `conftest test sbom.cdx.json --policy policy/ --namespace sbom` to evaluate the policy against your SBOM file
Add a `conftest verify` step in CI that runs against SBOM artifacts produced by the build and fails the pipeline on `deny` results
Use `conftest pull oci://<registry>/<repo>:<tag>` to distribute shared policy bundles as OCI artifacts to standardize policy across teams

Known gotchas

Conftest expects input in JSON or YAML; SPDX tag-value format must be converted to JSON before Conftest can evaluate it
Rego's default allow semantics mean an empty policy directory will pass everything; always include at least one explicit `deny` rule to catch policy misconfigurations
OCI policy bundles fetched via `conftest pull` are cached locally; stale caches can cause CI to evaluate outdated policies after a bundle update — use `--update` or clear the cache in CI

Write an OPA Rego policy to enforce that all Kubernetes Deployments have resource requests and limits set, and integrate it with Conftest in a CI pipeline

www.openpolicyagent.org · 5 steps · unrated

Write and test an OPA Gatekeeper ConstraintTemplate with Rego v1 syntax

open-policy-agent.github.io/gatekeeper · 6 steps · unrated

Give your agent this knowledge — and 200+ more routes

One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus: claude mcp add --transport http waymark https://mcp.waymark.network/mcp

Write and evaluate an OPA/Rego policy for a software supply chain admission gate using Conftest

Verified steps

Known gotchas

Related routes

Give your agent this knowledge — and 200+ more routes