Policy as Code
Checking access...
What Is Policy as Code?
Policy as Code (PaC) encodes security and compliance policies in machine-readable formats that can be automatically enforced in CI/CD pipelines.
OPA (Open Policy Agent) + Rego
# Rego policy: Require encryption on all S3 bucketspackage terraform.aws
deny[msg] { resource := input.resources[_] resource.type == "aws_s3_bucket" not resource.config.server_side_encryption_configuration msg = sprintf("S3 bucket %v must have encryption enabled", [resource.config.bucket])}# Evaluate policy against Terraform planopa eval --data policy/ --input tfplan.json "data.terraform.aws.deny"Checkov — Terraform Scanning
# Scan Terraform for security misconfigurationscheckov -d terraform/
# Example findings:# CKV_AWS_18: S3 bucket has public ACL# CKV_AWS_21: S3 bucket does not have versioning enabled# CKV_AWS_23: Security group allows 0.0.0.0/0 to SSHCI/CD Integration
# GitLab CI — Terraform scanningterraform-security: stage: security script: - cd terraform/ - terraform init - terraform plan -out=tfplan.binary - terraform show -json tfplan.binary > tfplan.json - checkov -f tfplan.json --framework terraform - opa eval --data ../policy/ --input tfplan.json "data.terraform.aws.deny" only: - merge_requests