Governance & Policy as Code: My DevSecOps Operating System
π DevSecOps Governance Tools Comparison
As a DevSecOps practitioner, itβs critical to choose the right Policy-as-Code tool based on your stack and use case. Below is a comparison of 5 key tools used to enforce governance across CI/CD pipelines, Infrastructure as Code, and Kubernetes.
π Tool Overview Table
| Tool | Ecosystem Fit | Policy Language | Best For | Realtime Enforcement | Difficulty |
|---|---|---|---|---|---|
| OPA | Cloud-native (K8s, Terraform) | Rego | Generic policy engine, APIs, Terraform | β Yes (via Gatekeeper) | βοΈ Medium |
| Sentinel | HashiCorp Stack | Sentinel (HCL-like) | Terraform Enterprise, Vault, Consul | β Yes | βοΈ Medium |
| Checkov | Terraform, CloudFormation | YAML + Python | IaC static security checks | β No (pre-apply only) | π’ Easy |
| Conftest | YAML, JSON, Dockerfiles, etc. | Rego (OPA) | CI/CD config validation | β No (CI only) | βοΈ Medium |
| Kyverno | Kubernetes-native | Declarative YAML | Kubernetes admission policies | β Yes | π’ Easy |
π Real-World Use Cases
β OPA (Open Policy Agent)
- Enforce no unencrypted S3 buckets in Terraform
- Block Kubernetes pods from running as root (via Gatekeeper)
- Apply policies on custom APIs (Envoy/NGINX integration)
# Example: Disallow root containers in Kubernetes
violation[{"msg": msg}] {
input.spec.securityContext.runAsNonRoot == false
msg := "Containers must not run as root"
}
β Sentinel
- Block Terraform plans that donβt tag resources
- Ensure secrets in Vault are not readable by unauthorized teams
- Enforce different access levels in Nomad jobs
# Example: Enforce tags in Terraform
main = rule { all resources.r as r { r.tags contains "env" } }
β Checkov
- Scan IaC for overexposed security groups
- Validate if RDS databases have backup retention
- Catch hardcoded secrets in Terraform
# Checkov result example
check: CKV_AWS_24
message: Ensure no open security group to 0.0.0.0/0
β Conftest
- Validate Ansible playbooks for required variables
- Enforce naming conventions in GitHub Actions workflows
- Integrate into Jenkins CI to block invalid config commits
# Example: Validate that env is defined
deny[msg] {
not input.env
msg := "Missing required env key"
}
β Kyverno
- Prevent using the
latestimage tag - Auto-label all pods with team name
- Require resource requests & limits on every deployment
# Example: Block latest image tag
spec:
validation:
message: "Avoid using latest tag"
pattern:
spec:
containers:
- image: "!*:latest"
π§ Summary: How to Choose
| Scenario | Start With |
|---|---|
| General-purpose policies | OPA |
| You use Terraform Enterprise | Sentinel |
| Quick IaC scan before deploying | Checkov |
| Need portable CI/CD policy checks | Conftest |
| Kubernetes native enforcement | Kyverno |
π Explore More:
- https://www.openpolicyagent.org/
- https://developer.hashicorp.com/sentinel
- https://www.checkov.io/
- https://www.conftest.dev/
- https://kyverno.io/
Thanks for reading. May your pipelines be green, your infra be tagged, and your security posture be strong!
π Explore my projects, policies, and pipelines on opsbygandal.dev
or on on github linkΒ https://github.com/gandalops?tab=repositories
π Feedback? Letβs connect on LinkedIn
Comments