Name: nicholasjackson/opa-rego-language
Rating: 0.99 (1 reviews)
Author: nicholasjackson

nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

Securityby

Pending

The risk profile of this skill

Overview

Eval results

Files

Evaluation results

100%

Access Control: Common Testing Pattern

Criteria

Without context

With context

_test.rego filename suffix

100%

test_ function prefix

100%

positive and negative test cases

100%

tests pass

100%

25%

HTTP API: Common Testing Pattern

Criteria

Without context

With context

_test.rego filename suffix

100%

test_ function prefix

100%

positive and negative test cases

100%

tests pass

100%

Kubernetes: Common Testing Pattern

Criteria

Without context

With context

_test.rego filename suffix

100%

test_ function prefix

100%

positive and negative test cases

100%

tests pass

100%

Access Control: RBAC Policy

Criteria

Without context

With context

import rego.v1

100%

default allow := false

100%

Reads roles from JWT claims

100%

Reads role grants from data

100%

Nested iteration with some

100%

Permission match on action and resource_type

100%

Tests pass

100%

98%

Access Control: Separation of Duty

Criteria

Without context

With context

import rego.v1

100%

Partial set rule for violations

100%

Iterates over conflicting pairs with array-of-arrays membership

85%

100%

Reads user roles from data

100%

Tests pass

100%

86%

100%

HTTP API: Authorization Policy

Criteria

Without context

With context

import rego.v1

100%

default allow := false

100%

JWT decoded with io.jwt.decode

100%

Matches on input.method and input.path

100%

Allow self and manager access

100%

Tests pass

100%

10%

HTTP API: Request Body Field Validation

Criteria

Without context

With context

import rego.v1

100%

Set subtraction to detect unknown fields

75%

100%

Checks for required fields

100%

Tests pass

100%

Kubernetes: Admission Policy (kube-mgmt)

Criteria

Without context

With context

deny contains msg pattern

100%

Checks input.request.kind.kind

100%

Deny rule for privileged containers

100%

Tests pass

83%

100%

97%

-3%

Kubernetes: Gatekeeper Policy

Criteria

Without context

With context

violation contains msg pattern

100%

Uses input.review.object

100%

Uses input.parameters for required labels

100%

Tests pass

100%

76%

100%

Metadata: Policy Annotations

Criteria

Without context

With context

package has METADATA block with title and description

100%

package has authors or organizations

100%

decision rules have METADATA with title and description

100%

decision rules have entrypoint: true

100%

rules have custom fields

100%

Tests pass

100%

98%

Metadata: Runtime Annotation Access

Criteria

Without context

With context

import rego.v1

100%

METADATA block with custom.severity

100%

Uses rego.metadata.rule() at runtime

100%

Violation is a structured object with severity

100%

Tests pass

80%

100%

15%

Terraform: CloudFormation Hook — S3 Bucket Access Control

Criteria

Without context

With context

main response object

100%

Uppercase action strings and CloudFormation input structure

100%

Helper rules for conditions

100%

Three deny rules covering AccessControl and both BlockPublic settings

100%

Tests pass

100%

Terraform: Common Patterns

Criteria

Without context

With context

import rego.v1

100%

object.get input normalization

100%

Tests pass

100%

98%

-2%

Terraform: Common Testing Pattern

Criteria

Without context

With context

_test.rego filename suffix

100%

mocks Terraform plan input with `with input as`

100%

includes both positive and negative test cases

100%

tests pass

100%

92%

95%

30%

Terraform: Module Security Group Validation

Criteria

Without context

With context

Uses walk() built-in

100%

Collects resources from all modules

60%

100%

Deny rule for HTTP in description

100%

Tests pass

80%

100%

Terraform: Multi-Region Deployment Policies

Criteria

Without context

With context

Provider region check via configuration path

100%

EU data residency deny rule

100%

has_replication helper with multiple function heads

85%

100%

Tests pass

100%

48%

Terraform: Required Tags Enforcement

Criteria

Without context

With context

action != delete exclusion pattern

21%

100%

supports_tags helper

58%

100%

Safe tag access with object.get

17%

100%

Deny for missing and empty tags

50%

100%

Tests pass

100%

Terraform: S3 Bucket Encryption

Criteria

Without context

With context

Deny on aws_s3_bucket without inline encryption

100%

Deny on separate encryption resource with invalid algorithm

100%

Helper function for algorithm validation

47%

100%

Tests pass

100%

18%

Terraform: S3 Bucket Versioning

Criteria

Without context

With context

Checks create and update actions

100%

Deny on aws_s3_bucket without versioning enabled

100%

Deny on separate versioning resource with wrong status

58%

100%

Tests pass

80%

100%

65%

HTTP API: Rate Limiting with Per-User Limits

Criteria

Without context

With context

import rego.v1

100%

Default rule value for fallback limit

100%

Per-tier limit lookup

100%

Tests pass

100%

Regal: Annotations — RBAC Authorization Policy

Criteria

Without context

With context

Package-level metadata annotation

100%

`allow` rule annotated with `entrypoint: true`

100%

No blank lines between metadata and rule

100%

Tests pass

80%

100%

95%

Regal: Boolean Structure — Pod Security Policy

Criteria

Without context

With context

Incremental violations set using `contains`

100%

Boolean allow rule referencing violations

100%

Checks for privileged and missing limits

100%

Tests pass

80%

98%

23%

Regal: Bug Avoidance — Namespace Policy Validation

Criteria

Without context

With context

Uses `in` for membership check (not `!=` in a loop)

100%

sprintf argument count matches format string

100%

Checks for restricted name and missing annotation

100%

Tests pass

92%

97%

14%

Regal: Comprehensions — Tag Compliance Policy

Criteria

Without context

With context

Uses `object.keys()` for provided tags

100%

Set subtraction for missing tags

100%

deny contains msg with sprintf

53%

100%

Tests pass

60%

88%

97%

-3%

Regal: Default Rules — Tiered Rate Limit Values

Criteria

Without context

With context

default declaration at the top

100%

Conditional overrides for each tier

100%

No else branches for fallback

100%

Tests pass

100%

88%

100%

Regal: Function Style — Container Security Validation

Criteria

Without context

With context

Helper functions take explicit container argument

100%

Separate helpers for privileged and resource limit checks

100%

deny contains msg pattern with container name

100%

Tests pass

92%

100%

10%

Regal: Import Conventions — JWT Authorization with Helper Library

Criteria

Without context

With context

Imports the package, not individual rules

100%

No redundant aliases

100%

All imports before rules

100%

Tests pass

60%

100%

Regal: Iteration Style — Container Image Registry Validation

Criteria

Without context

With context

Uses `some ... in` for iteration

100%

Checks each container image against approved registry

100%

deny contains msg pattern

100%

Tests pass

100%

98%

-2%

Regal: Membership Operators — Department-Based Access Control

Criteria

Without context

With context

Uses `in` operator for membership check

100%

Looks up allowed departments from data

100%

import rego.v1 and default allow := false

100%

Tests pass

100%

92%

100%

Regal: Naming Conventions — RBAC Policy

Criteria

Without context

With context

snake_case for all identifiers

100%

No get_ or list_ prefix on rule names

100%

No package path repetition in rule names

100%

Tests pass

100%

Regal: Testing Style — Authorization Policy with Tests

Criteria

Without context

With context

Test file named `authz_test.rego` with `_test` package suffix

100%

Policy package imported and rules referenced via alias

100%

Unique descriptive test names

100%

Tests pass

100%

Evaluated: about 15 hours ago
Agent: Claude Code
Model: Claude Sonnet 4.6

Table of Contents

Access Control: Common Testing Pattern HTTP API: Common Testing Pattern Kubernetes: Common Testing Pattern Access Control: RBAC Policy Access Control: Separation of Duty HTTP API: Authorization Policy HTTP API: Request Body Field Validation Kubernetes: Admission Policy (kube-mgmt)Kubernetes: Gatekeeper Policy Metadata: Policy Annotations Metadata: Runtime Annotation Access Terraform: CloudFormation Hook — S3 Bucket Access Control Terraform: Common Patterns Terraform: Common Testing Pattern Terraform: Module Security Group Validation Terraform: Multi-Region Deployment Policies Terraform: Required Tags Enforcement Terraform: S3 Bucket Encryption Terraform: S3 Bucket Versioning HTTP API: Rate Limiting with Per-User Limits Regal: Annotations — RBAC Authorization Policy Regal: Boolean Structure — Pod Security Policy Regal: Bug Avoidance — Namespace Policy Validation Regal: Comprehensions — Tag Compliance Policy Regal: Default Rules — Tiered Rate Limit Values Regal: Function Style — Container Security Validation Regal: Import Conventions — JWT Authorization with Helper Library Regal: Iteration Style — Container Image Registry Validation Regal: Membership Operators — Department-Based Access Control Regal: Naming Conventions — RBAC Policy Regal: Testing Style — Authorization Policy with Tests