Install conftest; organize Rego policy files under a policy/ directory with deny or warn rules that receive the parsed manifest as input.
For Kubernetes manifests, run conftest test deployment.yaml --policy policy/ ; conftest parses the YAML, iterates over documents, and evaluates each against the deny rules.
For Terraform, first generate a plan JSON file using terraform show -json tfplan.binary, then run conftest test tfplan.json --policy policy/ --input=tf-plan ; confirm conftest recognizes the parser.
Add a conftest pull step to download shared policy bundles from an OCI registry or HTTP bundle server using conftest pull to keep policies DRY across repos.
Fail the CI job on any deny violation; use warn rules for advisory checks that produce output without failing the job.
Known gotchas
conftest's Terraform input parser has evolved across versions; verify the input object structure against your conftest version by printing input in a test policy before writing substantive rules.
A single YAML file with multiple Kubernetes documents (separated by ---) is evaluated once per document; ensure policy rules handle the correct resource kinds and don't assume a single object.
Namespace the policy package correctly; conftest evaluates rules in the data.main or data.kubernetes namespace by default, but this is configurable — mismatched namespaces cause rules to silently not fire.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp