Skip to content

A curated list of OPA related tools, frameworks and articles

License

Notifications You must be signed in to change notification settings

angelwn/awesome-opa

ย 
ย 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

awesome-opa



A curated list of awesome Open Policy Agent (OPA) related tools, frameworks and articles.

Contents

Official projects

Repositories

  • OPA - Open Policy Agent Github repository
  • Gatekeeper - Kubernetes admission controller using OPA
  • Conftest - Write tests against structured configuration data

Docs

Blogs and Articles

  • OPA - Official blog for the OPA project
  • Logo - The OPA Logo in different versions

Policy Packages

  • Library - Community-owned policy library for OPA
  • Policy Hub CLI - CLI tool that makes Rego policies searchable
  • Rego policies - Rego policies from the the Red Hat community of practice
  • Appshield - Open Database of rego policies for common Infrastructure as Code files
  • Conftest policy packs - Collection of Conftest policies for "Compliance-as-Code" security policies and general engineering standards. Policies targeting Terraform, Dockerfiles, package.json (NodeJS) files, etc
  • Confectionary - A library of rules for Conftest used to detect Terraform misconfigurations.

Language and Platform Integrations

Java

  • Java - Generic Java client to query OPA's REST API
  • Spring Security - OPA Spring Security Library
  • Spring Security Reactive - OPA with Spring Security Reactive
  • Gradle - OPA plugin for Gradle
  • Thunx - Thunx is a pluggable ABAC system using OPA, Spring Cloud Gateway and Spring Data REST

Python

Go

PHP

  • OPA Library for PHP - OPA client, a PSR-15 authorization middleware and a PSR-15 bundle distributor middleware

.NET

Node.js

Clojure

  • Clojure - Middleware and utilities for app authorization with OPA in Clojure

Docker

Containers

  • Konveyor Forklift Validation Service - VM migration suitability assessment to avoid migrating VMs that are not fit for Kubevirt. Rules are applied on all the VMs of the source provider (VMware) during the initial inventory collection, then whenever a VM configuration changes.

WebAssembly (Wasm)

  • NPM module - a small SDK for using WebAssembly compiled Open Policy Agent Rego policies
  • .NET Core Library - .NET SDK for calling Wasm-compiled OPA policies from .NET Core
  • Python Library - Open Policy Agent WebAssembly SDK for Python
  • Go SDK - a small Go library for using WebAssembly compiled Open Policy Agent Rego policies
  • JVM - Java SDK for calling Wasm-compiled policies. Uses wasmtime.

Docs

  • Wasm - Official docs on WebAssembly for OPA

Built with Wasm

  • OPA Wasm demo - Demonstration of evaluating OPA's Wasm modules in the browser
  • Snyk CLI - Test Infrastructure as Code source code for security misconfigurations and best practices in the local console. The npm-opa-wasm library is used to run WASM bundle of Rego policies to detect misconfiguration.

Kubernetes

Service Mesh Authorization

  • OPA Envoy Plugin - The OPA Envoy Plugin (compatible with Envoy, Istio, Gloo Edge, more)
  • Open Service Mesh - Envoy based service mesh using OPA for external authorization
  • Kuma - OPA for Kuma service mesh
  • Kong Mesh - OPA for Kong Mesh authorization (docs)

Blogs and Articles

Datasource Integrations

Datasource Integrations Blogs and Articles

IDE and Editor Integrations

  • VS Code plugin - Develop, test, debug, and analyze policies for OPA in VS Code
  • IntelliJ plugin - OPA plugin for the IntelliJ IDE
  • Emacs - Emacs Major mode for working with Rego
  • Vim - Vim plugin for the Rego language, with support for syntax highlighting
  • Null-ls - Use Neovim as a language server to inject LSP diagnostics, code actions, and more. Supports linting rego files.
  • Atom - Syntax highlighting for the Atom editor
  • CodeMirror - Rego mode and minimal key map for CodeMirror
  • TextMate - Syntax highlighting for TextMate
  • Sublime - Syntax highlighting for Sublime
  • Nano - Syntax highlighting for Nano
  • Prism - Prism is a lightweight, extensible syntax highlighter, built with modern web standards in mind (supports Rego)

Infrastructure as Code

  • OPA AWS CloudFormation Hook - AWS CloudFormation Hook calling OPA for policy decisions. See also tutorial.
  • Infracost - Infracost generates cloud cost estimates for Terraform and integrates with OPA, it can be used to write cost policies
  • Regula - Evaluates Terraform code for potential security misconfigurations and compliance violations.
  • Example Terraform policies - Example Terraform policies
  • Terrascan - 500+ Policies written in OPA for security best practices.
  • KICS - Keeping Infrastructure as Code Secure or KICS scans IaC projects for security vulnerabilities, compliance issues, and infrastructure misconfiguration. Currently working with Terraform projects, Kubernetes manifests, Dockerfiles, AWS CloudFormation Templates, and Ansible playbooks.
  • Trivy - Scan your code and artifacts for known vulnerabilities and misconfiguration issues.
  • Terraform OPA IBM - Terraform policy library for IBM Cloud
  • GCP policy guardrails for Terraform - Rego reference policy library for GCP controls (originally from forseti). Originally used by terraform-validator and now on gcloud beta terraform vet. More info at Policy Validation
  • Pulumi OPA Bridge for CrossGuard - This project allows OPA rules to be run in the context of Pulumi's policy system, CrossGuard

Infrastructure as Code Blogs and Articles

Serverless

Serverless Blogs and Articles

Testing

Other Usecases

  • SansShell - A non-interactive daemon for host management, where any action is authorized by OPA

Tools and Utilities

-ย setup-opa - GitHub action to configure the Open Policy Agent CLI in your GitHub Actions workflows

  • Fregot - Alternative REPL implementation for Rego
  • OPA pre-commit - Pre-commit hooks for OPA/Rego/Conftest development
  • Monitor OPA Gatekeeper - Monitoring implementation guide for OPA Gatekeeper (blog)
  • OpenAPI to Rego - Generate Rego code given an OpenAPI 3.0 Specification
  • Temporal reasoning with OPA - Examples for working with time in Rego
  • OPAL - Realtime policy and data updates for your OPA agents on top of websockets pub/sub
  • OPA Action - OPA Pull-Request Assessor is a GitHub Action that checks files against policies configured in the same repo
  • OPA Schema Examples - Examples of extending the OPA type checker with JSON schemas
  • Snyk IaC Rules - Maintain library of Rego rules, run integration tests and build WASM bundles for distribution of rules. The OPA libraries are used to build WASM bundles.
  • opactl - A simple tool to turn your Rego rule into CLI command (blog)
  • alfred - A self-hosted OPA Playground Alternative
  • Rรถnd - Rรถnd is a lightweight container that distributes security policy enforcement throughout your application

Support and Community

  • Styra - Commercial support, and tools for managing OPA at scale, by the creators of OPA
  • Stack Overflow - Stack Overflow OPA section
  • OPA Slack - Open Policy Agent Slack workspace
  • GitHub Discussions - Open Policy Agent Discussion Board

Recommended Reading

  • OPA Guidebook - Open source, free book on Open Policy Agent, by Sangkeon Lee (source code)
  • Microservices Security in Action - Book on micorservices security, with dedicated section covering OPA. Freely available online.
  • Fugue - 5 tips for using the Rego language for Open Policy Agent
  • Integration - How we integrated our purely functional Scala backend with the Open Policy Agent

Twitter

Maintainers

  • @OpenPolicyAgent - Official OPA account ๐ŸŒŽ
  • @sometorin - Torin Sandall ๐Ÿ‡จ๐Ÿ‡ฆ - OPA co-creator
  • @tlhinrichs - Tim Hinrichs ๐Ÿ‡บ๐Ÿ‡ธ - OPA co-creator
  • @ashtalk - Ash Narkar ๐Ÿ‡บ๐Ÿ‡ธ - OPA maintainer
  • @johanfylling - Johan Fylling ๐Ÿ‡ธ๐Ÿ‡ช - OPA maintainer
  • @anderseknert - Anders Eknert ๐Ÿ‡ธ๐Ÿ‡ช - OPA developer advocate
  • @peteroneilljr - Peter O'Neill ๐ŸŒŽ - OPA community advocate
  • @ritazzhang - Rita Zhang ๐Ÿ‡บ๐Ÿ‡ธ - Gatekeeper maintainer
  • @sozercan - Sertaรง ร–zercan ๐Ÿ‡บ๐Ÿ‡ธ - Gatekeeper maintainer
  • @willbeason - Will Beason ๐Ÿ‡บ๐Ÿ‡ธ - Gatekeeper maintainer
  • @johnpreese - John Reese ๐Ÿ‡บ๐Ÿ‡ธ - Conftest maintainer

Community Stars

  • @m_mizutani - Masayoshi Mizutani ๐Ÿ‡ฏ๐Ÿ‡ต - Security engineer. Prolific OPA & Rego advocate
  • @Hiroyuki_OSAKI - Roy Hiroyuki OSAKI ๐Ÿ‡บ๐Ÿ‡ธ - Research engineer. OPA community contributor
  • @charlieegan3 - Charlie Egan ๐Ÿ‡ฌ๐Ÿ‡ง - OPA contributor and active community member
  • @developerguyba - Batuhan Apaydin ๐Ÿ‡น๐Ÿ‡ท - Active member in OPA and many CNCF projects
  • @nmeisenzahl - Nico Meisenzahl ๐Ÿ‡ฉ๐Ÿ‡ช - Frequently tweets and talks about OPA and cloud native topics
  • @jaspervdj-luminal - Jasper Van der Jeugt ๐Ÿ‡จ๐Ÿ‡ญ - OPA contributor

Commercial Tools

  • Styra DAS - Styra Declarative Authorization Service, from the creators of OPA
  • Scalr - Collaboration and Automation for Terraform, backed by OPA
  • Fairwinds Insights - Run OPA policies consistently across CI/CD, Admission Control, and an multi-cluster scanner
  • Snyk IaC - Test Infrastructure as Code source code repositories for security misconfigurations and best practices. The OPA golang libraries are used to evaluate Rego policies to detect misconfigurations in the repositories.
  • Spacelift: Flexible management platform for Infrastructure as Code, backed by OPA
  • env0: Infrastructure as Code automation platform, with OPA extensibility.

Contributing

Built a great OPA integration or wrote an interesting blog or article on the topic? Submit a PR!

About

A curated list of OPA related tools, frameworks and articles

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published