Install conftest from the official releases and verify with `conftest --version`; it parses Terraform HCL, JSON plan output, Kubernetes YAML, and over 18 other formats.
Run `terraform show -json tfplan > plan.json` to export the plan as structured JSON that conftest can parse.
Write a Rego policy file, e.g. `policy/main.rego`, with `package main` and denial rules such as `deny[msg] { ... }`.
Execute `conftest test plan.json --policy policy/` from the repo root; conftest evaluates each deny and warn rule and exits non-zero if any denial fires.
Add `conftest pull` with an OCI registry path to distribute shared policy bundles across teams without copying Rego files into every repo.
Integrate the conftest step into your CI pipeline between `terraform plan` (with `-out`) and `terraform apply`.
Known gotchas
Conftest does not bundle pre-written policies; teams must author their own Rego or import from the gatekeeper-library or community OPA policy repos.
The `package main` convention is required for default conftest behavior; using a different package name requires passing `--namespace` explicitly.
Plan JSON structure differs between Terraform versions; confirm the `resource_changes` path used in Rego against the plan schema for the Terraform version in use.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp