policy-as-code
SKILL.md
Policy as Code
Automate policy enforcement through code.
Open Policy Agent (OPA)
# deny_public_buckets.rego
package terraform.s3
deny[msg] {
resource := input.resource.aws_s3_bucket[name]
resource.acl == "public-read"
msg := sprintf("S3 bucket '%s' has public ACL", [name])
}
Kyverno (Kubernetes)
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: check-labels
match:
resources:
kinds:
- Pod
validate:
message: "Label 'app' is required"
pattern:
metadata:
labels:
app: "?*"
Checkov
# Scan Terraform
checkov -d . --framework terraform
# Custom check
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
class S3Encryption(BaseResourceCheck):
def scan_resource_conf(self, conf):
return CheckResult.PASSED if 'encryption' in conf else CheckResult.FAILED
Best Practices
- Version control policies
- Test policies in CI
- Gradual rollout (warn → enforce)
- Exception management
Weekly Installs
11
Repository
bagelhole/devop…t-skillsGitHub Stars
13
First Seen
Feb 4, 2026
Security Audits
Installed on
opencode11
codex11
claude-code10
github-copilot10
kimi-cli10
gemini-cli10