ec opa deps

Analyze Rego query dependencies== Synopsis

Print dependencies of provided query.

Dependencies are categorized as either base documents, which is any data loaded from the outside world, or virtual documents, i.e values that are computed from rules.


Given a policy like this:

package policy
import rego.v1
allow if is_admin
is_admin if "admin" in input.user.roles

To evaluate the dependencies of a simple query (e.g. data.policy.allow), we’d run opa deps like demonstrated below:

$ opa deps --data policy.rego data.policy.allow
| input.user.roles | data.policy.allow    |
|                  | data.policy.is_admin |

From the output we’re able to determine that the allow rule depends on the input.user.roles base document, as well as the virtual document (rule) data.policy.is_admin.

ec opa deps <query> [flags]


-b, --bundle

set bundle file(s) or directory path(s). This flag can be repeated.

-d, --data

set policy or data file(s). This flag can be repeated.

-f, --format

set output format (Default: pretty)

-h, --help

help for deps (Default: false)


set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])


opt-in to OPA features and behaviors that will be enabled by default in a future OPA v1.0 release (Default: false)

Options inherited from parent commands


same as verbose but also show function names and line numbers (Default: false)


path to the Kubernetes config file to use


less verbose output (Default: false)


max overall execution duration (Default: 5m0s)


enable trace logging (Default: false)


more verbose output (Default: false)