conftest

General info

conftest is a client which helps you write tests against structured configuration data using the Rego language from Open Policy Agent.

Media type: application/vnd.cncf.openpolicyagent.config.v1+json

Client homepage: https://www.conftest.dev

Usage

Authentication

First, set the BB_USER environment variable to your Bundle Bar username:

BB_USER="<insert_username_here>"

Next, create a token in the Bundle Bar UI and copy it into your clipboard. Set it in the BB_TOKEN environment variable using one of the following commands:

 BB_TOKEN="<insert_token_here>"  # manual copy-paste
 BB_TOKEN="$(pbpaste)"           # with pbpaste
 BB_TOKEN="$(xclip -o)"          # with xclip

Note: the previous commands are intentionally prefixed with a space to prevent them from appearing in your history. This can be enabled in your shell with export HISTCONTROL=ignoreboth.

conftest uses docker's login system to access registries. Run the following command to log in to Bundle Bar using docker:

echo "$BB_TOKEN" | docker login bundle.bar -u $BB_USER --password-stdin

Pushing

# 1. Create a policy directory
mkdir policy

# 2. Create the policy
cat > policy/deny.rego <<EOF
package main

version {
  to_number(input.version)
}

deny[msg] {
  endswith(input.services[_].image, ":latest")
  msg = "No images tagged latest"
}

deny[msg] {
  version < 3.5
  msg = "Must be using at least version 3.5 of the Compose file format"
}
EOF

# 3. Push the artifact
conftest push bundle.bar/u/$BB_USER/conftest/welcome:v1 policy

Pulling

# 1. Delete the local policy directory, so you can be sure it works
rm -rf policy

# 2. Pull the artifact
conftest pull oci://bundle.bar/u/$BB_USER/conftest/welcome:v1

# 3. Check it out
ls policy

Installation

Official docs

Please see https://www.conftest.dev/install/.

Bundle Bar CDN

Bundle Bar provides a secure mirror of the latest version of conftest on the following platforms:

  • Mac x86-64
  • Linux x86-64

Release artifacts were downloaded from here and should have identical checksums.

Mac x86-64

Latest version
VersionFilenameSHA-256 checksum
0.20.0conftest_0.20.0_Darwin_x86_64.tar.gzcf9f7c7153e4634409f1159178ea433e1524db43e754ae808cae63a7d1ebe32c
Install instructions
CONFTEST_VERSION="0.20.0"
CONFTEST_FILENAME="conftest_0.20.0_Darwin_x86_64.tar.gz"
CONFTEST_CHECKSUM="cf9f7c7153e4634409f1159178ea433e1524db43e754ae808cae63a7d1ebe32c"

# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}"

# 2. Verify the checksum
shasum -a 256 "${CONFTEST_FILENAME}" | grep "^${CONFTEST_CHECKSUM} "

# 3. Extract the tarball
tar -xvf "${CONFTEST_FILENAME}"

# 4. Move binary into PATH
mv conftest /usr/local/bin

# 5. Verify install
conftest --help
Optional: Validate signatures

For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:

# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import

# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}.asc"

# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${CONFTEST_FILENAME}.asc" | \
    grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
    (echo "ERROR: Failed to verify signature" && exit 1)

Linux x86-64

Latest version
VersionFilenameSHA-256 checksum
0.20.0conftest_0.20.0_Linux_x86_64.tar.gz6647697fd811daa3fcd0777654181b5ad4d7dda67dcab358a01fc821801bc0a1
Install instructions
CONFTEST_VERSION="0.20.0"
CONFTEST_FILENAME="conftest_0.20.0_Linux_x86_64.tar.gz"
CONFTEST_CHECKSUM="6647697fd811daa3fcd0777654181b5ad4d7dda67dcab358a01fc821801bc0a1"

# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}"

# 2. Verify the checksum
shasum -a 256 "${CONFTEST_FILENAME}" | grep "^${CONFTEST_CHECKSUM} "

# 3. Extract the tarball
tar -xvf "${CONFTEST_FILENAME}"

# 4. Move binary into PATH
mv conftest /usr/local/bin

# 5. Verify install
conftest --help
Optional: Validate signatures

For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:

# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import

# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/conftest/${CONFTEST_VERSION}/${CONFTEST_FILENAME}.asc"

# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${CONFTEST_FILENAME}.asc" | \
    grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
    (echo "ERROR: Failed to verify signature" && exit 1)