Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1Add the orbs stanza below your version, invoking the orb:
1
2
orbs:
conftest-orb: kenfdev/conftest-orb@0.0.9Use conftest-orb elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Runs conftest tests against the target file.
1
2
3
4
5
6
7
8
9
10
orbs:
conftest: kenfdev/conftest-orb@x.y
version: 2.1
workflows:
build:
jobs:
- conftest/test:
file: config_to_test.yaml
pre-steps:
- checkout
Run conftest test
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
fail_on_warn | Return a non-zero exit code when warnings are found. | No | false | boolean |
file | File(s) to test against. | Yes | - | string |
policy_path | Path to the Rego policy files directory. | No | policy | string |
repository | Repository to pull policies from. If specified, will pull policies to the `policy_path` before executing the test. | No | '' | string |
version | Version of conftest to use. | No | latest | string |
Install conftest
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
version | The version of conftest to install | No | latest | string |
Download individual policies from an OCI registry.
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
policy_path | Path to the Rego policy files directory. For the test command, specifying a specific .rego file is allowed. | No | policy | string |
repository | Repository to pull policies from. | Yes | - | string |
Upload individual policies to an OCI registry
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
path | Path to create the bundle from. | No | . | string |
repository | Repository to push policies to. | Yes | - | string |
Test your configuration files using conftest
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
fail_on_warn | Return a non-zero exit code when warnings are found. | No | false | boolean |
file | File(s) to test against. | Yes | - | string |
input_type | Input type for given source, especially useful when using conftest with stdin.(valid options are toml, tf, hcl, cue, ini, yaml, json) | No | '' | string |
namespace | Namespace in which to find deny and warn rules. | No | main | string |
output_type | Output format for conftest results.(valid options are stdout, json, tap) | No | stdout | enum |
policy_path | Path to the Rego policy files directory. For the test command, specifying a specific .rego file is allowed. | No | policy | string |
Verify Rego unit tests
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
namespace | Namespace in which to find deny and warn rules. | No | main | string |
output_type | Output format for conftest results.(valid options are stdout, json, tap) | No | stdout | enum |
policy_path | Path to the Rego policy files directory. For the test command, specifying a specific .rego file is allowed. | No | policy | string |
Docker image with only the minimal tools needed to run a build. Based on Docker Alpine
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
tag | The tag of the docker image. See the following for the full list. https://hub.docker.com/r/cibuilds/base/tags
| No | latest | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
install:
description: Install conftest
parameters:
version:
default: latest
description: The version of conftest to install
type: string
steps:
- run:
command: |
if [[ $EUID == 0 ]]; then export SUDO=""; else export SUDO="sudo"; fi
# grab conftest version
if [[ "<<parameters.version>>" == "latest" ]]; then
# extract latest version from GitHub releases API
CONFTEST_VERSION=$(curl \
--silent --show-error --location --fail --retry 3 \
https://api.github.com/repos/instrumenta/conftest/releases/latest | \
jq '.tag_name' | sed -E 's/"//g' | sed -E 's/^v//g')
else
CONFTEST_VERSION=<<parameters.version>>
echo "Selected version of Conftest is $CONFTEST_VERSION"
fi
# Install conftest
if [ ! -f ${HOME}/.conftest/bin/conftest ]; then
mkdir -p ${HOME}/.conftest/bin
wget "https://github.com/instrumenta/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz"
tar xzf "conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz"
mv conftest ${HOME}/.conftest/bin
chmod +x ${HOME}/.conftest/bin/conftest
# Add to PATH
echo 'export PATH=${HOME}/.conftest/bin:$PATH' >> $BASH_ENV
source $BASH_ENV
fi
conftest --version
name: Download the CLI
pull:
description: Download individual policies from an OCI registry.
parameters:
policy_path:
default: policy
description: Path to the Rego policy files directory. For the test command,
specifying a specific .rego file is allowed.
type: string
repository:
description: Repository to pull policies from.
type: string
steps:
- run:
command: |
conftest pull --policy << parameters.policy_path >> << parameters.repository >>
name: Run conftest pull << parameters.repository >>
push:
description: Upload individual policies to an OCI registry
parameters:
path:
default: .
description: Path to create the bundle from.
type: string
repository:
description: Repository to push policies to.
type: string
steps:
- run:
command: |
conftest push << parameters.repository >> << parameters.path >>
name: Run conftest push << parameters.repository >>
test:
description: Test your configuration files using conftest
parameters:
fail_on_warn:
default: false
description: Return a non-zero exit code when warnings are found.
type: boolean
file:
description: File(s) to test against.
type: string
input_type:
default: ""
description: Input type for given source, especially useful when using conftest
with stdin.(valid options are toml, tf, hcl, cue, ini, yaml, json)
type: string
namespace:
default: main
description: Namespace in which to find deny and warn rules.
type: string
output_type:
default: stdout
description: Output format for conftest results.(valid options are stdout,
json, tap)
enum:
- stdout
- json
- tap
type: enum
policy_path:
default: policy
description: Path to the Rego policy files directory. For the test command,
specifying a specific .rego file is allowed.
type: string
steps:
- run:
command: |
conftest test --namespace << parameters.namespace >> \
--policy << parameters.policy_path >> \
<<# parameters.fail_on_warn >>--fail-on-warn<</ parameters.fail_on_warn >> \
<<# parameters.input_type >>--input << parameters.input_type >><</ parameters.input_type >> \
--output << parameters.output_type >> \
<< parameters.file >>
name: Run conftest test
verify:
description: Verify Rego unit tests
parameters:
namespace:
default: main
description: Namespace in which to find deny and warn rules.
type: string
output_type:
default: stdout
description: Output format for conftest results.(valid options are stdout,
json, tap)
enum:
- stdout
- json
- tap
type: enum
policy_path:
default: policy
description: Path to the Rego policy files directory. For the test command,
specifying a specific .rego file is allowed.
type: string
steps:
- run:
command: |
conftest verify --namespace << parameters.namespace >> \
--policy << parameters.policy_path >> \
--output << parameters.output_type >>
name: Run conftest verify
description: |
Easily integrate Conftest View this orb's source: https://github.com/kenfdev/conftest-orb
examples:
simple:
description: |
Runs conftest tests against the target file.
usage:
orbs:
conftest: kenfdev/conftest-orb@x.y
version: 2.1
workflows:
build:
jobs:
- conftest/test:
file: config_to_test.yaml
pre-steps:
- checkout
executors:
default:
description: |
Docker image with only the minimal tools needed to run a build. Based on Docker Alpine
docker:
- image: cibuilds/base:<< parameters.tag >>
parameters:
tag:
default: latest
description: |
The tag of the docker image. See the following for the full list. https://hub.docker.com/r/cibuilds/base/tags
type: string
jobs:
test:
description: Run conftest test
executor: default
parameters:
fail_on_warn:
default: false
description: Return a non-zero exit code when warnings are found.
type: boolean
file:
description: File(s) to test against.
type: string
policy_path:
default: policy
description: Path to the Rego policy files directory.
type: string
repository:
default: ""
description: Repository to pull policies from. If specified, will pull policies
to the `policy_path` before executing the test.
type: string
version:
default: latest
description: Version of conftest to use.
type: string
steps:
- install:
version: << parameters.version >>
- when:
condition: << parameters.repository >>
steps:
- pull:
policy_path: << parameters.policy_path >>
repository: << parameters.repository >>
- test:
fail_on_warn: << parameters.fail_on_warn >>
file: << parameters.file >>
policy_path: << parameters.policy_path >>
version: 2.1