Integrate Conftest with Vulnetix. Write OPA Rego policies to enforce standards on Kubernetes, Terraform, Dockerfile, GitHub Actions, or any structured config format. Export test results as SARIF.
Install & scan
$ # Homebrew (macOS/Linux) brew install conftest # Binary download curl -L https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz | tar xz sudo mv conftest /usr/local/bin/ $ conftest test --output sarif --policy policy/ config.yaml > conftest.sarif
Run Conftest in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Conftest
run: |
curl -L https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz | tar xz
sudo mv conftest /usr/local/bin/
- name: Test configs with OPA policies
run: conftest test --output sarif --policy policy/ k8s/ > conftest.sarif
- name: Upload to Vulnetix
run: vulnetix upload --file conftest.sarif
How Vulnetix compares — better together
Vulnetix does not replace Conftest. Keep running it. Vulnetix sits on top of Conftest — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Conftest is strongest at its core category and also carries features in Compliance & Policy Engines, Container & Image Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | Conftest |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ Can parse and test Dockerfiles against Rego policies; no image-layer or CVE scanning |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✓ Core: tests Terraform, Kubernetes and other IaC/config files against Rego policies for misconfiguration |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Conftest does well
- Format-agnostic: tests 19+ structured formats (Kubernetes YAML, Terraform HCL/plan JSON, Dockerfile, GitHub Actions, INI, TOML, XML, CUE) with one consistent workflow
- Powered by OPA Rego — arbitrarily expressive custom policies with deny/warn/violation rules, reusable across any config type
- Purpose-built for CI/CD gating with machine-readable output (JSON, TAP, JUnit, SARIF) and a policy-sharing model via OCI registries
- Lightweight single-binary CLI with no cluster or backend dependency
Where Vulnetix adds to it: Conftest is a bring-your-own-policy Rego test runner — every rule is hand-authored and it has no built-in policy library, no vulnerability intelligence, and no prioritisation. Vulnetix ships native IaC/misconfig detection plus SAST, SCA, container, secrets, malware and cloud out of the box, then adds the cross-scanner dedup, exploit-intel, reachability and VEX layer Conftest lacks entirely. Vulnetix can ingest Conftest SARIF into its unified queue; it does not replace Conftest's role as a custom-policy gate.
No migration, no rip-and-replace. Conftest keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Conftest results in Vulnetix
Upload Conftest SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.