Adding policy to your Scalr pipeline is critical to providing developers with self-service deployments in their environments. Policy gives you, as the platform admin, assurance that the Terraform or OpenTofu deployments are being done according to your organizational standards. Scalr integrates with Open Policy Agent (OPA) and Checkov to apply policy and vulnerability scanning at various stages in the pipeline.

Open Policy Agent

Scalr utilizes Open Policy Agent (OPA) to govern Terraform and OpenTofu deployments. OPA is policy-as-code that uses the rego language to evaluate Terraform input data against administrator-defined rules. Any data in the Terraform JSON can be evaluated as part of the OPA checks.

The OPA code is treated similarly to your Terraform code in that it is stored in a VCS provider and managed through a GitOps model. Administrators create, manage, and open pull requests on the policies directly in VCS providers and trigger speculative runs to preview the impact of policy changes.

OPA policies can be used during the pre-plan and post-plan phases. The pre-plan stage evaluates information available before the plan, such as the run source, who executed the run, VCS details, and more. Runs that violate policies during the pre-plan phase are not billed for. The post-plan stage can evaluate everything included in the pre-plan as well as information included in the terraform plan JSON, specifically deployment details about the resources being created, changed, and deleted.

Learn the implementation details of OPA here.

Checkov

Checkov is a code analysis tool that scans Terraform deployments for vulnerabilities and compliance violations. If Checkov is enabled, Scalr will insert the Checkov step before the Terraform init phase runs. Checkov will evaluate the code that is being pulled in, and if any errors are found, the run in Scalr will stop. Runs that are stopped during the Checkov step are not billed for.

Learn the implementation details of Checkov here.