You can configure Digger to use Conftest to check your Terraform plan output against Open Policy Agent policies.
Conftest binary needs to be installed into your CI pipeline (see Conftest Docs)
OPA policies (rego files) under
/policiesdirectory in your repo
Example assumes the terraform is in the
Don’t forget to update the json file name as well if your directory is named differently
projects: - name: prod dir: prod workflow: my_custom_workflow workflows: my_custom_workflow: plan: steps: - init: - plan - run: "conftest test ./prod.json -p ../policies" workflow_configuration: on_pull_request_pushed: [digger plan] on_pull_request_closed: [digger unlock] on_commit_to_default: [digger apply]