Conftest test
conftest_testEvaluate configuration files against Rego policies to identify violations and warnings per file and namespace.
Instructions
Evaluate configuration files (Kubernetes manifests, Terraform plans, Dockerfiles, Helm charts, or any YAML/JSON/HCL/TOML/INI) against Rego policies using conftest test. Returns per-file, per-namespace pass/fail/warn results so you can pinpoint exactly which policy rules fired. Requires conftest on PATH or CONFTEST_BINARY set; returns CONFTEST_NOT_FOUND otherwise. Provide config via files (disk paths) or inlineConfig (inline string). Provide policy via policy (disk path) or inlinePolicy (inline Rego source). Omit policy and inlinePolicy to use conftest's default ./policy directory.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| data | No | Paths to directories from which additional data will be loaded for the Rego policies. Each path must be inside an allowed root. | |
| files | No | Filesystem paths to configuration files to evaluate (YAML, JSON, HCL, Dockerfile, etc.). Each path must be inside an allowed root (OPA_MCP_ALLOWED_PATHS). Mutually exclusive with `inlineConfig`. | |
| parser | No | Force a specific parser for all input `files` via conftest's global `--parser` flag, overriding extension-based detection. Useful for files whose extension does not match their format (e.g. parse a `.tfstate` file as `json`). Valid values: yaml, json, toml, hcl1, hcl2, ini, xml, dotenv, cue, jsonnet, properties, edn, hocon, dockerfile. For `inlineConfig`, prefer `inlineConfigParser`. | |
| policy | No | Path to a directory or file containing Rego policies. Must be inside an allowed root (OPA_MCP_ALLOWED_PATHS). Mutually exclusive with `inlinePolicy`. Omit to let conftest use its default `./policy` directory. | |
| combine | No | Combine all configuration files into a single input document before evaluating. Useful when policies need to inspect relationships across multiple files. | |
| namespace | No | Rego namespace (package name) to test against. Defaults to `main`. Use `allNamespaces: true` to test all discovered namespaces instead. | |
| failOnWarn | No | Return `passed: false` even when only warnings (no hard failures) are present. | |
| inlineConfig | No | Inline configuration content to evaluate (e.g. a Kubernetes manifest as a YAML string). Mutually exclusive with `files`. Defaults to YAML format; set `inlineConfigParser` to override. | |
| inlinePolicy | No | Inline Rego policy source. Written to a temporary directory and passed as `--policy`. The policy should declare `package main` (or match the `namespace` parameter). Mutually exclusive with `policy`. | |
| allNamespaces | No | Test policies found in all discovered namespaces. Overrides `namespace`. | |
| inlineConfigParser | No | Parser to use for `inlineConfig`. Valid values: yaml (default), json, toml, hcl1, hcl2, ini, xml, dotenv, cue, jsonnet, properties, edn, hocon, dockerfile. Ignored when `files` is used (conftest infers the parser from each file's extension, unless `parser` is set). |