nicholasjackson/golang-opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA) for writing and enforcing policies across cloud-native stacks, featuring data-driven rules, comprehensions, and 200+ built-in functions for infrastructure, security, and compliance automation.
Overall
score
97%
rubric.jsonevals/scenario-3/
{
"context": "Evaluates whether the agent correctly implements a Kubernetes admission control policy using multi-value deny rules and mock input in tests, rather than a boolean allow/deny pattern.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Correct package name",
"description": "The policy file uses `package kubernetes.admission`",
"max_score": 5
},
{
"name": "Multi-value deny rule",
"description": "`deny` is defined as a multi-value set rule (using `deny contains msg if`) rather than a boolean",
"max_score": 15
},
{
"name": "Approved registry check",
"description": "The policy denies containers whose image does not start with `registry.company.com/` and produces a descriptive message",
"max_score": 20
},
{
"name": "Non-root check",
"description": "The policy denies containers where `securityContext.runAsNonRoot` is not `true` and produces a descriptive message",
"max_score": 20
},
{
"name": "Resource limits check",
"description": "The policy denies containers missing `resources.limits.cpu` or `resources.limits.memory` and produces a descriptive message",
"max_score": 15
},
{
"name": "Test for compliant pod",
"description": "A test verifies that a fully compliant pod produces an empty `deny` set",
"max_score": 10
},
{
"name": "Tests for non-compliant pods",
"description": "Tests verify that pods violating each individual rule produce the expected denial message",
"max_score": 10
},
{
"name": "Tests use with keyword",
"description": "Tests inject mock Kubernetes objects using `with input as { ... }` rather than relying on real cluster data",
"max_score": 5
}
]
}