Post

Governance & Policy as Code: My DevSecOps Operating System

Posted
By Yogesh Shankar Gandal
2 min read
Governance & Policy as Code: My DevSecOps Operating System

πŸ” DevSecOps Governance Tools Comparison

As a DevSecOps practitioner, it’s critical to choose the right Policy-as-Code tool based on your stack and use case. Below is a comparison of 5 key tools used to enforce governance across CI/CD pipelines, Infrastructure as Code, and Kubernetes.

πŸ“Š Tool Overview Table

Tool Ecosystem Fit Policy Language Best For Realtime Enforcement Difficulty
OPA Cloud-native (K8s, Terraform) Rego Generic policy engine, APIs, Terraform βœ… Yes (via Gatekeeper) βš™οΈ Medium
Sentinel HashiCorp Stack Sentinel (HCL-like) Terraform Enterprise, Vault, Consul βœ… Yes βš™οΈ Medium
Checkov Terraform, CloudFormation YAML + Python IaC static security checks ❌ No (pre-apply only) 🟒 Easy
Conftest YAML, JSON, Dockerfiles, etc. Rego (OPA) CI/CD config validation ❌ No (CI only) βš™οΈ Medium
Kyverno Kubernetes-native Declarative YAML Kubernetes admission policies βœ… Yes 🟒 Easy

πŸ›  Real-World Use Cases

βœ… OPA (Open Policy Agent)

  • Enforce no unencrypted S3 buckets in Terraform
  • Block Kubernetes pods from running as root (via Gatekeeper)
  • Apply policies on custom APIs (Envoy/NGINX integration)
1
2
3
4
5

# Disallow root containers in Kubernetes
violation[{"msg": msg}] {
  input.spec.securityContext.runAsNonRoot == false
  msg := "Containers must not run as root"
}

βœ… Sentinel

  • Block Terraform plans that don’t tag resources
  • Ensure Vault secrets are scoped properly
  • Enforce job-level access policies in Nomad
1
2

# Enforce tagging policy
main = rule { all resources.r as r { r.tags contains "env" } }

βœ… Checkov

  • Scan Terraform for open security groups
  • Ensure RDS has backup retention
  • Detect hardcoded secrets
1
2
3

# Checkov finding example
check: CKV_AWS_24
message: Ensure no open security group to 0.0.0.0/0

βœ… Conftest

  • Enforce variables in Ansible playbooks
  • Validate GitHub Actions workflows
  • Run pre-merge config checks in CI
1
2
3
4
5

# Required env variable must exist
deny[msg] {
  not input.env
  msg := "Missing required env key"
}

βœ… Kyverno

  • Block use of latest image tag
  • Auto-label all pods with team info
  • Enforce CPU/memory limits
1
2
3
4
5
6
7
8

# Block latest tag in image
spec:
  validation:
    message: "Avoid using latest tag"
    pattern:
      spec:
        containers:
        - image: "!*:latest"

🧠 Summary: How to Choose

Scenario Start With
General-purpose policies OPA
You use Terraform Enterprise Sentinel
Quick IaC scan before deploying Checkov
Need portable CI/CD policy checks Conftest
Kubernetes native enforcement Kyverno

πŸ”— Explore More

Thanks for reading. May your pipelines be green, your infra be tagged, and your security posture be strong!

πŸ”— Explore my other blogs at opsbygandal.dev
πŸ“ Check out the GitHub repo [https://github.com/gandalops/portfolio-chirpy]
πŸ”„ Let’s connect on LinkedIn

blog
terraform opa tfsec governance devsecops policy-as-code
This post is licensed under CC BY 4.0 by the author.