What is compliance as code and how do tools like OPA enforce it in pipelines?
Answer
Compliance as code encodes regulatory requirements, security policies, and operational standards as machine-readable rules that are automatically enforced in CI/CD pipelines, replacing manual compliance reviews. Open Policy Agent (OPA) is a general-purpose policy engine that uses the Rego language to express policies. In a CI/CD context: Terraform plans are validated against OPA policies before apply (e.g., "all S3 buckets must have server-side encryption enabled", "no security groups may allow 0.0.0.0/0 on port 22"); Kubernetes manifests are validated via OPA/Gatekeeper (admission controller) before being applied; Docker images must pass image scanning policies. Checkov provides pre-built compliance rules for Terraform, CloudFormation, and Kubernetes against CIS benchmarks, PCI-DSS, HIPAA, and SOC2. Compliance as code provides continuous compliance rather than periodic audits, gives developers immediate feedback on policy violations, and creates an auditable record that policies were enforced.
Previous
How does Terraform work in fully automated pipelines with plan PR comments and apply on merge?
Next
What is software supply chain security and what are SLSA levels, SBOMs, and image signing?
More CI/CD Pipelines Questions
View all →- Advanced What are the core principles of GitOps?
- Advanced What is progressive delivery and how does it extend beyond basic canary releases?
- Advanced How is chaos engineering integrated into CD pipelines?
- Advanced How does Terraform work in fully automated pipelines with plan PR comments and apply on merge?
- Advanced What is software supply chain security and what are SLSA levels, SBOMs, and image signing?