Safeguard
Tag

opa

Safeguard articles tagged "opa" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Cloud Security

Scanning Terraform and CloudFormation before you ever run apply

tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.

Jul 14, 20266 min read
DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
Cloud Security

Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review

OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.

Jul 11, 20267 min read
Cloud Security

Policy-as-code for Terraform: testing before you ever run apply

Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.

Jul 11, 20266 min read
DevSecOps

A hands-on introduction to Rego for Kubernetes admission control

OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.

Jul 8, 20266 min read
DevSecOps

Rego for security engineers: a beginner's guide to OPA policy

Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.

Jul 8, 20267 min read
DevSecOps

Policy as Code for Security: A Practical Guide

When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.

Jul 4, 20266 min read
Infrastructure Security

What is Policy as Code

Policy as code turns security and compliance rules into version-controlled, testable code enforced automatically in CI/CD, admission control, and runtime.

Mar 12, 20268 min read
Tools

Kyverno vs OPA Gatekeeper: A Buyer Comparison for 2026

A practical comparison of Kyverno 1.13 and OPA Gatekeeper 3.18 for Kubernetes policy enforcement, covering language, performance, ecosystem, and operational fit.

Mar 4, 20266 min read
Container Security

Kubernetes Admission Controller Policy Patterns in 2026

A field guide to the admission control patterns that survived contact with production clusters: validating webhooks, image policy, mutating defaults, and what to skip.

Feb 11, 20266 min read
Architecture

Safeguard Policy Evaluation Engine

How Safeguard's policy engine evaluates thousands of rules per artifact with predictable latency — the compiler, the cache layer, and the decision trail.

Feb 8, 20268 min read
Container Security

K8s Admission Controllers for Supply Chain Policy

How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.

Jan 13, 20266 min read
opa — Safeguard Blog