From threatmodel-skills
Enforces policy-as-code using Open Policy Agent (OPA) and Rego for security, compliance validation, Kubernetes admissions, CI/CD checks, and config auditing.
npx claudepluginhub agentsecops/secopsagentkit --plugin offsec-skillsThis skill uses the workspace's default tool permissions.
This skill enables policy-as-code enforcement using Open Policy Agent (OPA) for compliance validation, security policy enforcement, and configuration auditing. OPA provides a unified framework for policy evaluation across cloud-native environments, Kubernetes, CI/CD pipelines, and infrastructure-as-code.
assets/ci-cd-pipeline.yamlassets/gdpr-compliance.regoassets/k8s-constraint-template.yamlassets/k8s-constraint.yamlassets/k8s-pod-security.regoassets/pci-dss-compliance.regoassets/soc2-compliance.regoassets/terraform-security.regoreferences/EXAMPLE.mdreferences/compliance-frameworks.mdreferences/iac-policies.mdreferences/kubernetes-security.mdreferences/rego-patterns.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
This skill enables policy-as-code enforcement using Open Policy Agent (OPA) for compliance validation, security policy enforcement, and configuration auditing. OPA provides a unified framework for policy evaluation across cloud-native environments, Kubernetes, CI/CD pipelines, and infrastructure-as-code.
Use OPA to codify security requirements, compliance controls, and organizational standards as executable policies written in Rego. Automatically validate configurations, prevent misconfigurations, and maintain continuous compliance.
# macOS
brew install opa
# Linux
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64
chmod +x opa
# Verify installation
opa version
# Evaluate a policy against input data
opa eval --data policy.rego --input input.json 'data.example.allow'
# Test policies with unit tests
opa test policy.rego policy_test.rego --verbose
# Run OPA server for live policy evaluation
opa run --server --addr localhost:8181
Identify compliance requirements and security controls to enforce:
Create policy files in Rego language. Use the provided templates in assets/ for common patterns:
Example: Kubernetes Pod Security Policy
package kubernetes.admission
import future.keywords.contains
import future.keywords.if
deny[msg] {
input.request.kind.kind == "Pod"
container := input.request.object.spec.containers[_]
container.securityContext.privileged == true
msg := sprintf("Privileged containers are not allowed: %v", [container.name])
}
deny[msg] {
input.request.kind.kind == "Pod"
container := input.request.object.spec.containers[_]
not container.securityContext.runAsNonRoot
msg := sprintf("Container must run as non-root: %v", [container.name])
}
Example: Compliance Control Validation (SOC2)
package compliance.soc2
import future.keywords.if
# CC6.1: Logical and physical access controls
deny[msg] {
input.kind == "Deployment"
not input.spec.template.metadata.labels["data-classification"]
msg := "SOC2 CC6.1: All deployments must have data-classification label"
}
# CC6.6: Encryption in transit
deny[msg] {
input.kind == "Service"
input.spec.type == "LoadBalancer"
not input.metadata.annotations["service.beta.kubernetes.io/aws-load-balancer-ssl-cert"]
msg := "SOC2 CC6.6: LoadBalancer services must use SSL/TLS encryption"
}
Write comprehensive tests for policy validation:
package kubernetes.admission_test
import data.kubernetes.admission
test_deny_privileged_container {
input := {
"request": {
"kind": {"kind": "Pod"},
"object": {
"spec": {
"containers": [{
"name": "nginx",
"securityContext": {"privileged": true}
}]
}
}
}
}
count(admission.deny) > 0
}
test_allow_unprivileged_container {
input := {
"request": {
"kind": {"kind": "Pod"},
"object": {
"spec": {
"containers": [{
"name": "nginx",
"securityContext": {"privileged": false, "runAsNonRoot": true}
}]
}
}
}
}
count(admission.deny) == 0
}
Run tests:
opa test . --verbose
Use the bundled evaluation script for policy validation:
# Evaluate single file
./scripts/evaluate_policy.py --policy policies/ --input config.yaml
# Evaluate directory of configurations
./scripts/evaluate_policy.py --policy policies/ --input configs/ --recursive
# Output results in JSON format for CI/CD integration
./scripts/evaluate_policy.py --policy policies/ --input config.yaml --format json
Or use OPA directly:
# Evaluate with formatted output
opa eval --data policies/ --input config.yaml --format pretty 'data.compliance.violations'
# Bundle evaluation for complex policies
opa eval --bundle policies.tar.gz --input config.yaml 'data'
Add policy validation to your CI/CD workflow:
GitHub Actions Example:
- name: Validate Policies
uses: open-policy-agent/setup-opa@v2
with:
version: latest
- name: Run Policy Tests
run: opa test policies/ --verbose
- name: Evaluate Configuration
run: |
opa eval --data policies/ --input deployments/ \
--format pretty 'data.compliance.violations' > violations.json
if [ $(jq 'length' violations.json) -gt 0 ]; then
echo "Policy violations detected!"
cat violations.json
exit 1
fi
GitLab CI Example:
policy-validation:
image: openpolicyagent/opa:latest
script:
- opa test policies/ --verbose
- opa eval --data policies/ --input configs/ --format pretty 'data.compliance.violations'
artifacts:
reports:
junit: test-results.xml
Enforce policies at cluster level using OPA Gatekeeper:
# Install OPA Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
# Apply constraint template
kubectl apply -f assets/k8s-constraint-template.yaml
# Apply constraint
kubectl apply -f assets/k8s-constraint.yaml
# Test admission control
kubectl apply -f test-pod.yaml # Should be denied if violates policy
Generate compliance reports using the bundled reporting script:
# Generate compliance report
./scripts/generate_report.py --policy policies/ --audit-logs audit.json --output compliance-report.html
# Export violations for SIEM integration
./scripts/generate_report.py --policy policies/ --audit-logs audit.json --format json --output violations.json
scripts/)evaluate_policy.py - Evaluate OPA policies against configuration files with formatted outputgenerate_report.py - Generate compliance reports from policy evaluation resultstest_policies.sh - Run OPA policy unit tests with coverage reportingreferences/)rego-patterns.md - Common Rego patterns for security and compliance policiescompliance-frameworks.md - Policy templates mapped to SOC2, PCI-DSS, GDPR, HIPAA controlskubernetes-security.md - Kubernetes security policies and admission control patternsiac-policies.md - Infrastructure-as-code policy validation for Terraform, CloudFormationassets/)k8s-pod-security.rego - Kubernetes pod security policy templatek8s-constraint-template.yaml - OPA Gatekeeper constraint templatek8s-constraint.yaml - Example Gatekeeper constraint configurationsoc2-compliance.rego - SOC2 compliance controls as OPA policiespci-dss-compliance.rego - PCI-DSS requirements as OPA policiesgdpr-compliance.rego - GDPR data protection policiesterraform-security.rego - Terraform security best practices policiesci-cd-pipeline.yaml - CI/CD integration examples (GitHub Actions, GitLab CI)Enforce security policies at pod creation time:
package kubernetes.admission
deny[msg] {
input.request.kind.kind == "Pod"
not input.request.object.spec.securityContext.runAsNonRoot
msg := "Pods must run as non-root user"
}
Validate Terraform configurations before apply:
package terraform.security
deny[msg] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket"
not resource.change.after.server_side_encryption_configuration
msg := sprintf("S3 bucket %v must have encryption enabled", [resource.name])
}
Map policies to specific compliance controls:
package compliance.soc2
# SOC2 CC6.1: Logical and physical access controls
cc6_1_violations[msg] {
input.kind == "RoleBinding"
input.roleRef.name == "cluster-admin"
msg := sprintf("SOC2 CC6.1 VIOLATION: cluster-admin binding for %v", [input.metadata.name])
}
Enforce data handling policies based on classification:
package data.classification
deny[msg] {
input.metadata.labels["data-classification"] == "restricted"
input.spec.template.spec.volumes[_].hostPath
msg := "Restricted data cannot use hostPath volumes"
}
Implement attribute-based access control (ABAC):
package api.authz
import future.keywords.if
allow if {
input.method == "GET"
input.path[0] == "public"
}
allow if {
input.method == "GET"
input.user.role == "admin"
}
allow if {
input.method == "POST"
input.user.role == "editor"
input.resource.owner == input.user.id
}
conftest or OPA CLISolution:
opa eval --data policy.rego --input input.json --explain full 'data.example.allow'opa fmt to format policies and catch syntax errorsSolution:
kubectl get pods -n gatekeeper-systemkubectl get constraintskubectl logs -n gatekeeper-system -l control-plane=controller-managerSolution:
opa test . --verboseprint() statements in Rego for debuggingSolution:
opa build policies/ -o bundle.tar.gzinput.key patterns