CtrlK
BlogDocsLog inGet started
Tessl Logo

nicholasjackson/golang-opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA) for writing and enforcing policies across cloud-native stacks, featuring data-driven rules, comprehensions, and 200+ built-in functions for infrastructure, security, and compliance automation.

Overall
score

97%

Overview
Eval results
Files

rubric.jsonevals/scenario-6/

{
  "context": "Evaluates whether the agent correctly implements a Terraform plan validation policy with input normalization for both raw Terraform and HCP Terraform, checking create and update actions but not delete, and using mock plan JSON in tests rather than running terraform commands.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Input normalization with object.get",
      "description": "The policy uses `object.get(input, \"plan\", input)` to normalize the input so it works with both raw Terraform and HCP Terraform/Enterprise structures",
      "max_score": 20
    },
    {
      "name": "Multi-value deny rule",
      "description": "`deny` is defined as a multi-value set rule (using `deny contains msg if`) rather than a boolean",
      "max_score": 10
    },
    {
      "name": "Checks create and update actions",
      "description": "Both the encryption and tagging rules check for \"create\" and \"update\" actions, not just one of them",
      "max_score": 15
    },
    {
      "name": "Does not check delete actions",
      "description": "Neither rule includes \"delete\" in the set of checked actions",
      "max_score": 10
    },
    {
      "name": "S3 encryption check",
      "description": "The policy denies `aws_s3_bucket` resources missing `server_side_encryption_configuration` with a descriptive message",
      "max_score": 15
    },
    {
      "name": "Environment tag check",
      "description": "The policy denies AWS resources missing the `Environment` tag in `change.after.tags` with a descriptive message",
      "max_score": 15
    },
    {
      "name": "Mock plan in tests",
      "description": "Tests use mock plan JSON injected with `with input as { ... }` — no `terraform plan` or other Terraform CLI commands are used",
      "max_score": 10
    },
    {
      "name": "HCP Terraform input test",
      "description": "At least one test validates the policy against the HCP Terraform input structure where the plan is nested under `input.plan`",
      "max_score": 5
    }
  ]
}

Install with Tessl CLI

npx tessl i nicholasjackson/golang-opa-rego-language@1.15.0

evals

scenario-6

rubric.json

task.md

README.md

tile.json