Policy as Code
Practice of defining security, compliance, and governance policies as versioned, executable code, automating their verification in CI/CD pipelines.
seed#policy-as-code#opa#sentinel#compliance#governance#automation
What it is
Policy as Code defines security, compliance, and governance rules as code versioned in Git and executed automatically. Instead of manual checklists, policies are verified programmatically.
Tools
| Tool | Use |
|---|---|
| OPA (Open Policy Agent) | General policies (K8s, APIs, Terraform) |
| HashiCorp Sentinel | Policies for Terraform Enterprise |
| AWS Config Rules | AWS compliance |
| Checkov | IaC scanning |
| Kyverno | Kubernetes-native policies |
Policy examples
- Every S3 bucket must have encryption enabled
- No security group can have port 22 open to the world
- All resources must have cost tags
- Container images must come from approved registries
Benefits
- Automated and consistent compliance
- Early feedback (shift-left)
- Auditable (Git history)
- Scalable (same policies for all teams)
Why it matters
Manual policies don't scale. Policy as code allows defining, versioning, and automatically enforcing security, compliance, and governance rules. Every infrastructure change is validated against policies before being applied, closing the gap between intention and reality.
References
- Open Policy Agent — CNCF policy engine.
- OPA Documentation — OPA, 2024. Complete policy engine documentation.
- Kyverno — CNCF, 2024. Kubernetes-native policy engine.