# Enforce Policy-as-Code with OPA

Security teams need repeatable policy checks across Kubernetes, infrastructure, and compliance workflows. This skill provides OPA and Rego guidance, templates, and CI examples for consistent validation.

## Install

```bash
npx skillstore add agentsecops/policy-opa
```

## Metadata

- - Slug: agentsecops-policy-opa
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/compliance/policy-opa
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-policy-opa
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-policy-opa/manifest

## Capabilities

- Guides Rego policy creation for Kubernetes admission control and workload security.
- Provides templates for SOC2, PCI-DSS, GDPR, and Terraform security checks.
- Shows GitHub Actions and GitLab CI examples for OPA tests and policy evaluation.
- Explains Gatekeeper constraint templates and example constraints for cluster enforcement.
- Documents common Rego patterns for deny rules, allow rules, labels, and secret detection.
- Maps policy examples to compliance controls and remediation guidance.

## Use Cases

- Validate Kubernetes Deployments: Create OPA or Gatekeeper policies that block privileged containers, host namespaces, unsafe capabilities, and missing security context settings.
- Check Terraform Plans Before Apply: Review Terraform plan JSON for public databases, open security groups, missing encryption, wildcard IAM permissions, and weak backup settings.
- Map Controls to Compliance Evidence: Use SOC2, PCI-DSS, and GDPR policy examples to connect technical checks with control names, severity, and remediation messages.

## Prompt Templates

### Create a Basic OPA Policy

```
Create an OPA Rego policy that denies Kubernetes Pods running privileged containers. Include a short explanation and one positive test case.
```

### Review a Kubernetes Manifest

```
Review this Kubernetes manifest against the bundled pod security guidance. List policy violations, severity, and practical remediation steps.
```

### Build Terraform Security Checks

```
Write OPA policies for this Terraform plan to detect public RDS instances, SSH open to the internet, and unencrypted S3 buckets.
```

### Design a Compliance Policy Set

```
Design an OPA policy structure for SOC2 and PCI-DSS evidence collection. Include packages, control mapping, test strategy, and CI rollout guidance.
```

## Limitations

- Policies are templates and require validation against each environment before enforcement.
- The referenced helper scripts are described but not present in the scanned file tree.
- Compliance mappings support engineering checks but do not replace audit or legal review.
- CI examples require installed tools such as OPA, Terraform, jq, yq, Docker, or kubectl.

## Best Practices

- Test every Rego rule with allowed and denied examples before enabling enforcement.
- Pin CI tool versions and verify downloaded binaries before running policy checks.
- Start with audit mode, review violations, then move high-confidence policies to blocking mode.

## Anti Patterns

- Do not copy CI examples into production pipelines without reviewing permissions and network downloads.
- Do not embed secrets, tokens, or raw sensitive Terraform plan values in policies or logs.
- Do not treat generic compliance templates as proof of compliance without local control validation.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T05:51:28.003\+00:00
- - Summary: Static analysis reported many high-severity patterns, but review found no prompt injection, malware behavior, or credential exfiltration. Most hits are false positives from Rego policy examples, compliance terms, public reference URLs, and defensive security vocabulary. The skill is medium risk because CI examples run shell commands and download OPA over the network, which users should review before copying into pipelines.

## Stats

- - Views: 489
- - Downloads: 7
- - Favorites: 0
- - Popularity score: 0