checkov VS OPA (Open Policy Agent)

Checkov https://www.checkov.io A static analysis tool to scan infrastructure code for misconfigs, secrets, and best practice violations.

PR #6647

Checkov infrastructure-as-code misconfig detection

Link do repo

Link: https://github.com/bridgecrewio/checkov

Checkov: static analysis for IaC

Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.

The workflow also includes a step for infrastructure code scan to scan Terraform code. This uses Checkov action against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

OPA (Open Policy Agent) https://www.openpolicyagent.org Add policy checks and guardrails to your Terraform/OpenTofu plans without hardcoding rules.

The only production experience I have with logic programming is OPA Rego for writing security policies (not sure it's a "pure" logic language but feels like the primary paradigm).

I found it pretty interesting for that use case, although the learning curve isn't trivial for traditional devs.

https://www.openpolicyagent.org/

Policy-as-code is one of those things that everyone knows should be done, but in practice is rarely implemented.

We believe this is caused by the combination of the following 2 factors:

- OPA [1] and tools like cloud custodian [2] are cumbersome to set up, so writing even a single policy/ setting it up in your organisation takes a lot of effort.

- Each policy project needs to start from scratch because policies aren't re-usable

Infrabase checks your infra with an LLM instead of policies directly (currently a combination of gemini-2.5-pro-preview-05-06 and o4-mini). You can write your own policies as natural language [3] prompts to customize behaviour.

This is still early: non-determinism and latency are open problems. But for most teams, “some guard-rails today” beats “perfect rego never”, and llm's are only getting better.

We'd love your feedback on it!

[1] OPA: https://github.com/open-policy-agent/opa

Security at scale: Automate secrets management with Vault, enforce policies using OPA.

OPA (Open Policy Agent) Policy-as-code framework to enforce infra rules

Policy-as-code with tools like OPA

Perfect for bundling extensive resources like opa policies

External Authorization System Using Policy engines like SpiceDB, OpenFGA, ORY Keto, OpenPolicy Agent (OPA), let you put your ReBAC rules in an external system and reference them from your queries. The main benefit you get from the centralized relationships model is it makes it possible to manage authorization centrally. This means that development teams can create new applications and add new relationships without needing to update any application code.

Going multicloud and multi-cluster can make it harder to maintain continual oversight of your security posture. Different clouds and cluster distributions may have their own security defaults and policy engines, so you need a mechanism that permits you to centrally roll out new configurations and compliance controls. Standardizing on a well-supported policy model such as Open Policy Agent (OPA) will make it easier to apply consistent settings to all your environments.

Open Policy Agent is an open-source policy engine recently graduated by the Cloud Native Computing Foundation (CNCF). Developed by the community and maintained by Styra, the OPA project aims to offer a unified framework to define, manage, and enforce policies through policies-as-code (PaC) across the technology stack layers of cloud-native applications.