opa
Safeguard articles tagged "opa" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Scanning Terraform and CloudFormation before you ever run apply
tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.
Writing Rego policies for Kubernetes admission control and CI gates
Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.
Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review
OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.
Policy-as-code for Terraform: testing before you ever run apply
Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.
A hands-on introduction to Rego for Kubernetes admission control
OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.
Rego for security engineers: a beginner's guide to OPA policy
Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.
Policy as Code for Security: A Practical Guide
When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.
What is Policy as Code
Policy as code turns security and compliance rules into version-controlled, testable code enforced automatically in CI/CD, admission control, and runtime.
Kyverno vs OPA Gatekeeper: A Buyer Comparison for 2026
A practical comparison of Kyverno 1.13 and OPA Gatekeeper 3.18 for Kubernetes policy enforcement, covering language, performance, ecosystem, and operational fit.
Kubernetes Admission Controller Policy Patterns in 2026
A field guide to the admission control patterns that survived contact with production clusters: validating webhooks, image policy, mutating defaults, and what to skip.
Safeguard Policy Evaluation Engine
How Safeguard's policy engine evaluates thousands of rules per artifact with predictable latency — the compiler, the cache layer, and the decision trail.
K8s Admission Controllers for Supply Chain Policy
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.