Tool integration

Conftest Integration Guide

Test any config file against OPA Rego policies with SARIF output

Get a Free API Key

Integrate Conftest with Vulnetix. Write OPA Rego policies to enforce standards on Kubernetes, Terraform, Dockerfile, GitHub Actions, or any structured config format. Export test results as SARIF.

OPA Rego (YAML/JSON/HCL/INI/TOML)CLI toolSARIFJSON

Install & scan

$ # Homebrew (macOS/Linux)
brew install conftest

# Binary download
curl -L https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz | tar xz
sudo mv conftest /usr/local/bin/
$ conftest test   --output sarif   --policy policy/   config.yaml   > conftest.sarif

Run Conftest in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Conftest
  run: |
    curl -L https://github.com/open-policy-agent/conftest/releases/latest/download/conftest_Linux_x86_64.tar.gz | tar xz
    sudo mv conftest /usr/local/bin/

- name: Test configs with OPA policies
  run: conftest test --output sarif --policy policy/ k8s/ > conftest.sarif

- name: Upload to Vulnetix
  run: vulnetix upload --file conftest.sarif

How Vulnetix compares — better together

Vulnetix does not replace Conftest. Keep running it. Vulnetix sits on top of Conftest — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Conftest is strongest at its core category and also carries features in Compliance & Policy Engines, Container & Image Scanning — just like Vulnetix spans categories.

CapabilityVulnetixConftest
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile~ Can parse and test Dockerfiles against Rego policies; no image-layer or CVE scanning
IaC / misconfigurationTerraform, k8s, CloudFormationCore: tests Terraform, Kubernetes and other IaC/config files against Rego policies for misconfiguration
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Conftest does well

Where Vulnetix adds to it: Conftest is a bring-your-own-policy Rego test runner — every rule is hand-authored and it has no built-in policy library, no vulnerability intelligence, and no prioritisation. Vulnetix ships native IaC/misconfig detection plus SAST, SCA, container, secrets, malware and cloud out of the box, then adds the cross-scanner dedup, exploit-intel, reachability and VEX layer Conftest lacks entirely. Vulnetix can ingest Conftest SARIF into its unified queue; it does not replace Conftest's role as a custom-policy gate.

No migration, no rip-and-replace. Conftest keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Conftest results in Vulnetix

Upload Conftest SARIF, JSON output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Conftest documentation ↗  ·  Source repository ↗

Wire Conftest into your CI/CD pipeline →