Top 12 Policy as Code (PaC) Tools in 2025

Policy as code (PaC) is the practice of writing governance, security, and compliance rules as machine-readable files that tools can automatically evaluate and enforce. It replaces static policy documents with automated checks in CI/CD, infrastructure provisioning, and runtime.

Common uses include blocking public S3 buckets, enforcing required tags, validating Kubernetes resources on admission, or failing Terraform plans that violate controls. You’ll often combine multiple layers: static checks in PRs, admission policies in clusters, and org-level guardrails in your cloud accounts.

Read more: What is Policy as Code (PaC) & How Do You Implement It?

Policy as code tools let teams define rules declaratively, integrate them into CI/CD pipelines, and audit changes through version control. They help enforce consistent security, compliance, and operational policies across environments. 

We will review the tools in the following categories:

1. General policy engine
2. Kubernetes admission control
3. Terraform / IaC enforcement
4. IaC misconfiguration scanning (pre-commit/CI)
5. Cloud-provider guardrails (org-level)
6. App authorization (fine-grained)

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that enables policy as code for cloud-native environments. It decouples policy decision-making from services by providing a unified way to define and enforce rules across microservices, Kubernetes, APIs, CI/CD pipelines, and infrastructure.

OPA uses a high-level declarative language called Rego to express policies. Once written, these policies can be applied consistently across a wide variety of systems, ensuring compliance, governance, and security requirements are met without embedding logic directly into application code.

OPA can run as a sidecar, daemon, or library and integrates with existing services via REST APIs, making it suitable for both real-time enforcement and offline analysis. OPA also integrates with Envoy/Istio via the official OPA-Envoy plugin and Istio’s CUSTOM external authz action, enabling fine-grained, policy-driven service authorization.

Open Policy Agent key features

• Unified policy engine for Kubernetes, microservices, CI/CD, data, and APIs
• Rego language for expressive, declarative policy definitions
• Decoupled decision-making via APIs, allowing consistent enforcement across systems
• Native Kubernetes integration (via Gatekeeper) for admission control and compliance
• Extensible integrations with Terraform, Envoy, Istio, and CI/CD pipelines
• Policy testing and validation to catch misconfigurations before deployment
• Community-driven ecosystem with wide adoption across cloud-native tools

Best for: Teams adopting cloud-native platforms and microservices who need a flexible, vendor-neutral way to enforce compliance, security, and governance policies.

Website: https://www.openpolicyagent.org

Gatekeeper is a Kubernetes-native policy controller that extends Open Policy Agent (OPA) to enforce custom admission policies within clusters. Built specifically for Kubernetes, it lets platform teams define, audit, and enforce constraints on cluster resources using Kubernetes Custom Resource Definitions (CRDs) and Rego policies.

Unlike OPA’s general-purpose scope, Gatekeeper is optimized for Kubernetes governance. It provides a framework to codify rules such as restricting container images, enforcing naming conventions, or ensuring labels and annotations are applied consistently. These policies are evaluated at admission time, preventing non-compliant workloads from being created.

Gatekeeper also supports audit functionality, allowing teams to identify violations across existing cluster resources. This dual focus on prevention and detection makes it a powerful tool for maintaining compliance and security standards in dynamic Kubernetes environments.

Gatekeeper supports an enforcementAction on constraints (e.g., deny, dryrun) and can integrate with Kubernetes ValidatingAdmissionPolicy (VAP) as of Gatekeeper v3.20 (beta), helping you manage CEL-based policies centrally.

Gatekeeper key features

• Kubernetes-native integration via CRDs for defining policies and constraints
• Admission control enforcement to block non-compliant workloads at creation
• Cluster-wide auditing to surface policy violations in existing resources
• Template-based system for reusing and sharing common policies
• Configurable enforcementAction (including dry-run) to phase in policies
• Community-driven policy library with prebuilt constraints for common use cases

Best for: Kubernetes-focused teams seeking to implement policy enforcement and compliance at the cluster admission level, while benefiting from OPA’s flexibility.

Website: https://open-policy-agent.github.io/gatekeeper

Kyverno is a Kubernetes-native policy engine that manages configuration, security, and compliance using familiar Kubernetes manifests. Policies are defined in YAML, so teams don’t need to learn a new language. This makes Kyverno approachable for Kubernetes operators who want governance built directly into their existing workflows.

Beyond validation, Kyverno can mutate and generate resources, automatically injecting labels, enforcing security contexts, or creating supporting objects. It also integrates smoothly with GitOps and CI/CD pipelines, offering policy testing and version control. 

With a strong focus on usability and a library of prebuilt policies, Kyverno helps teams standardize deployments and enforce best practices with minimal overhead.

Kyverno key features

• Kubernetes-first design with policies defined as standard resources
• Validation, mutation, and generation capabilities in a single tool
• No need for a new policy language—rules are written in YAML
• Policy testing framework for CI/CD and GitOps pipelines
• Prebuilt policy library covering security, compliance, and best practices
• Dynamic configuration with variable substitution and context-aware rules

Best for: Kubernetes operators and platform teams who want straightforward policy management using native Kubernetes patterns, without introducing new languages or abstractions.

Website: https://kyverno.io

Kubernetes ValidatingAdmissionPolicy (CEL) is a built-in admission control mechanism that lets users define policies using Common Expression Language (CEL) without requiring external controllers. Introduced as a native alternative to OPA/Gatekeeper or Kyverno, it provides lightweight validation for Kubernetes resources directly within the API server.

This feature enables teams to enforce rules such as restricting image registries, validating labels, or ensuring field values meet specific patterns. Since policies are part of the Kubernetes API, they’re simple to manage and integrate naturally with standard workflows.

ValidatingAdmissionPolicy reached General Availability in Kubernetes v1.30 (admissionregistration.k8s.io/v1), with validationActions supporting Deny, Warn, and Audit.

ValidatingAdmissionPolicy (CEL) key features

• Native Kubernetes integration with no extra components to install
• CEL-based policies for lightweight, high-performance validations
• Enforce or audit modes to block or just record policy violations
• Lower operational overhead compared to external policy engines
• Good fit for simple validation rules directly in clusters

Best for: For complex cross-object logic or external data lookups, OPA/Gatekeeper or Kyverno remain better fits; VAP focuses on object-scoped validation.

Website: Kubernetes Admission Controllers

HashiCorp Sentinel is a policy-as-code framework integrated into the HashiCorp Cloud Platform (HCP) Terraform and other HashiCorp products. It provides fine-grained governance and compliance controls by letting teams define rules that must pass before infrastructure changes are applied.

Sentinel uses a purpose-built language that allows for conditional logic, iteration, and policy composition. With its deep integration into Terraform Cloud and Enterprise, Sentinel can evaluate proposed infrastructure changes in plan and apply phases, ensuring compliance checks are part of the standard workflow.

While more opinionated than general-purpose policy engines, Sentinel is powerful for organizations already invested in the HashiCorp ecosystem. It allows central governance teams to define guardrails while still giving developers flexibility within approved boundaries.

HashiCorp Sentinel key features

• Deep integration with HCP Terraform and other HashiCorp tools
• Custom policy language designed for infrastructure governance
• Enforcement levels (advisory, soft-mandatory, hard-mandatory) to control policy strictness
• Evaluation during Terraform plan and apply for proactive compliance checks
• Extensible imports for accessing Terraform data, cloud provider metadata, and external APIs
• Strong enterprise focus with centralized governance and team-based workflows

Best for: Organizations using HCP Terraform or Terraform Enterprise that need consistent, enforceable governance built directly into their infrastructure-as-code pipelines.

Website: https://developer.hashicorp.com/sentinel

Spacelift is a CI/CD and infrastructure automation platform purpose-built for infrastructure-as-code (IaC) workflows. It offers a policy-as-code framework powered by Open Policy Agent, enabling teams to enforce governance, security, and compliance across Terraform, OpenTofu, Pulumi, AWS CloudFormation, and Kubernetes deployments.

With Spacelift, policies are written in Rego and applied to different decision points in the workflow, such as triggering/push events, plan/run approvals, and task execution. This flexibility allows platform teams to create guardrails without slowing down developer productivity. Policies can be version-controlled, tested, and reused, ensuring governance evolves alongside infrastructure.

By combining policy as code with automation and collaboration features, Spacelift helps organizations manage multi-cloud environments with confidence. It integrates into Git-based workflows, supports drift detection, and provides real-time visibility into infrastructure changes while ensuring every step respects defined policies.

Spacelift’s approach emphasizes practical governance — enforcing the right checks at the right time without introducing unnecessary friction.

Spacelift key features

• Policy as Code with OPA/Rego integrated directly into IaC workflows
• Multi-IaC support: Terraform, OpenTofu, Ansible, Pulumi, AWS CloudFormation, Kubernetes
• Decision hooks to enforce policies at key pipeline stages
• GitOps-driven automation with continuous deployment for infrastructure
• Drift detection and remediation with policy enforcement
• Team- and org-level guardrails for security, compliance, and cost control
• Collaboration and visibility into every infrastructure change

Best for: Teams looking for a modern infrastructure automation platform with built-in policy as code capabilities, especially in multi-cloud and hybrid IaC environments.

Website: https://spacelift.io

Check out this video where we dive into common use cases of Spacelift policies and how teams are using them to achieve security and cost control of their infrastructure:

Checkov is an open-source static analysis tool for IaC that brings policy-as-code to security and compliance scanning. It analyzes Terraform, CloudFormation, Kubernetes, Helm, Pulumi, and serverless frameworks to detect misconfigurations before deployment. By shifting policy enforcement left into development pipelines, Checkov helps teams catch issues early and reduce risk in cloud-native environments.

Policies in Checkov are written in Python or YAML and can be customized to enforce organizational standards. With a large library of built-in checks for common compliance frameworks (CIS, NIST, PCI-DSS, HIPAA), it offers immediate value out of the box while remaining flexible for custom rules. 

Checkov integrates seamlessly with CI/CD systems and version control, making it straightforward to adopt as part of day-to-day developer workflows.

Checkov key features

• Multi-IaC support: Terraform, CloudFormation, Kubernetes, Helm, Pulumi, Serverless
• Policy as code with customizable Python or YAML rules
• Built-in library for CIS, NIST, PCI-DSS, HIPAA, and other standards
• Shift-left security with CI/CD and Git integrations
• Rich reporting for visibility into misconfigurations and violations

Best for: Teams looking to strengthen IaC security and compliance with lightweight, flexible scanning directly in developer workflows.

Website: https://www.checkov.io

Terrascan is an open-source static code analyzer for infrastructure-as-code that enforces policy as code to detect security and compliance violations. It supports Terraform, Kubernetes, Helm, Kustomize, Dockerfiles, and more, helping teams catch misconfigurations before resources are provisioned.

Terrascan provides immediate coverage while allowing custom rule definitions, with a built-in policy pack (hundreds of rules) mapped to frameworks like CIS, PCI-DSS, and HIPAA. It integrates into CI/CD pipelines, Git workflows, and Kubernetes admission controllers, making policy enforcement both proactive and automated.

Terrascan key features

• Broad IaC support across Terraform, Kubernetes, Helm, Kustomize, Dockerfiles
• Extensive built-in policy library aligned with compliance frameworks
• Custom rules for organization-specific policies
• Flexible integrations with CI/CD and admission controllers

Best for: Teams needing scalable, open-source policy scanning across diverse IaC frameworks.

Website: https://runterrascan.io

Azure Policy is Microsoft’s native governance service that enables organizations to enforce compliance and security standards across Azure resources. When combined with as code workflows, policies can be defined, versioned, and deployed just like application or infrastructure code, bringing governance into CI/CD and GitOps pipelines.

Policies are authored in JSON and can be grouped into initiatives for broader compliance objectives. With integrations into tools like Azure DevOps, GitHub Actions, and Terraform, teams can embed Azure Policy evaluations into their delivery pipelines. This ensures every deployment is validated against organizational rules before reaching production.

Azure Policy supports remediation tasks for policies with DeployIfNotExists or Modify effects, allowing automatic correction of non-compliant resources.

Azure Policy (as code) key features

• Native Azure integration for real-time enforcement and remediation
• Policy as Code with JSON definitions stored in Git for version control
• Initiatives to bundle multiple policies under compliance goals
• CI/CD and GitOps support via Azure DevOps, GitHub Actions, Terraform, and Bicep
• Built-in policy library covering security, cost, and compliance frameworks
• Remediation tasks to automatically fix non-compliant resources

Best for: Teams operating heavily in Azure who want governance and compliance fully aligned with their infrastructure-as-code and DevOps workflows.

Website: https://learn.microsoft.com/azure/governance/policy

AWS Service Control Policies (SCPs) are a governance feature of AWS Organizations that let administrators define fine-grained permission boundaries across accounts. They act as guardrails, ensuring that no IAM user or role within member accounts can exceed the restrictions set at the organizational level. In practice, SCPs make it possible to centrally enforce compliance and security requirements across multi-account AWS environments.

SCPs are written as JSON policies, similar to IAM policies, but are applied at the organization, organizational unit (OU), or account level. This allows platform teams to encode rules such as disallowing unapproved regions, blocking the use of certain services, or restricting resource configurations. 

By managing SCPs in source control, organizations can treat them as code — versioning, testing, and deploying policy changes alongside infrastructure code.

Note: SCPs do not grant permissions; they define the maximum available permissions. IAM identity or resource policies must still allow an action.

For teams adopting Policy as Code practices, SCPs provide a native AWS mechanism for ensuring consistent governance without external tools. They are especially useful for enterprises running multiple AWS accounts, offering centralized control that complements other security frameworks like IAM and Config Rules.

AWS Service Control Policies (SCPs) key features

• Centralized governance across AWS Organizations
• JSON-based policies similar to IAM for consistency
• Enforce guardrails by denying access to specific actions, services, or regions
• Integration with Policy as Code workflows through version control and IaC pipelines
• Scales across multi-account AWS setups for enterprise governance

Best for: Organizations with multi-account AWS environments that need strict, centrally enforced guardrails aligned with Policy as Code practices.

Website: AWS User Guide

Google Cloud Organization Policy is a native governance framework that lets administrators define constraints across Google Cloud resources. By setting organization-wide rules, teams can enforce security, compliance, and cost controls consistently across projects and folders. These policies act as guardrails, restricting what resources can be created or how they can be configured.

Policies are expressed as constraints (e.g., restricting resource locations, blocking external IPs, enforcing CMEK encryption) and can be applied hierarchically at the organization, folder, or project level. For Kubernetes, Google’s Policy Controller (built on OPA Gatekeeper) extends these capabilities to cluster admission control and auditing, with prebuilt bundles and console integration. This lets you unify cloud constraints and Kubernetes policies under a PaC model.

Google Cloud Organization Policy key features

• Centralized governance at org, folder, and project levels
• Constraints to enforce security, compliance, and cost rules
• Policy Controller (Gatekeeper-based) for Kubernetes policy enforcement
• Policy as Code workflows via Terraform, Config Connector, and GitOps
• Audit and visibility into policy violations across resources

Best for: Enterprises operating in Google Cloud that want a unified, code-driven way to enforce constraints across both cloud resources and Kubernetes clusters.

Website: Organization Policy Overview and Policy Controller

AWS Cedar is a policy language created by AWS for defining fine-grained, context-aware authorization rules. It underpins Amazon Verified Permissions, which externalizes authorization decisions so policies can be managed separately from application code.

Policies are written in a declarative, human-readable format and support attribute- and context-based access control. Managed as code in version control, Cedar enables teams to apply policy as code practices to authorization while ensuring consistency and auditability.

AWS Cedar key features

• Purpose-built policy language for fine-grained authorization
• Integration with Amazon Verified Permissions for centralized management
• Attribute- and context-based access control (ABAC/CBAC)
• Readable, auditable policies stored and managed as code
• APIs for real-time authorization decisions across applications

Best for: Teams building applications on AWS that need scalable, centralized, and code-driven authorization with fine-grained access control.

Website: AWS User Guide

Policy as code brings governance, security, and compliance into the same workflows as infrastructure and application code. By defining policies in declarative languages, versioning them in Git, and enforcing them through CI/CD and cloud-native tools, teams gain consistency, automation, and auditability across multi-cloud and Kubernetes environments.