ec opa eval

Evaluate a Rego query== Synopsis

Evaluate a Rego query and print the result.


To evaluate a simple query:

$ opa eval 'x := 1; y := 2; x < y'

To evaluate a query against JSON data:

$ opa eval --data data.json 'name := data.names[_]'

To evaluate a query against JSON data supplied with a file:// URL:

$ opa eval --data file:///path/to/file.json 'data'

File & Bundle Loading

The --bundle flag will load data files and Rego files contained in the bundle specified by the path. It can be either a compressed tar archive bundle file or a directory tree.

$ opa eval --bundle /some/path 'data'

Where /some/path contains:

  +-- bar/
  |     |
  |     +-- data.json
  +-- baz.rego
  +-- manifest.yaml

The JSON file 'foo/bar/data.json' would be loaded and rooted under '' and the 'foo/baz.rego' would be loaded and rooted under the package path contained inside the file. Only data files named data.json or data.yaml will be loaded. In the example above the manifest.yaml would be ignored.

See for more details on bundle directory structures.

The --data flag can be used to recursively load ALL *.rego, *.json, and *.yaml files under the specified directory.

The -O flag controls the optimization level. By default, optimization is disabled (-O=0). When optimization is enabled the 'eval' command generates a bundle from the files provided with either the --bundle or --data flag. This bundle is semantically equivalent to the input files however the structure of the files in the bundle may have been changed by rewriting, inlining, pruning, etc. This resulting optimized bundle is used to evaluate the query. If optimization is enabled at least one entrypoint must be supplied, either via the -e option, or via entrypoint metadata annotations.

Output Formats

Set the output format with the --format flag.

--format=json      : output raw query results as JSON
--format=values    : output line separated JSON arrays containing expression values
--format=bindings  : output line separated JSON objects containing variable bindings
--format=pretty    : output query results in a human-readable format
--format=source    : output partial evaluation results in a source format
--format=raw       : output the values from query results in a scripting friendly format
--format=discard   : output the result field as "discarded" when non-nil


The -s/--schema flag provides one or more JSON Schemas used to validate references to the input or data documents. Loads a single JSON file, applying it to the input document; or all the schema files under the specified directory.

$ opa eval --data policy.rego --input input.json --schema schema.json
$ opa eval --data policy.rego --input input.json --schema schemas/


When passing a capabilities definition file via --capabilities, one can restrict which hosts remote schema definitions can be retrieved from. For example, a capabilities.json containing

    "builtins": [ ... ],
    "allow_net": [ "" ]

would disallow fetching remote schemas from any host but "". Setting allow_net to an empty array would prohibit fetching any remote schemas.

Not providing a capabilities file, or providing a file without an allow_net key, will permit fetching remote schemas from any host.

Note that the metaschemas,, and, are always available, even without network access.

ec opa eval <query> [flags]


-b, --bundle

set bundle file(s) or directory path(s). This flag can be repeated.


set capabilities version or capabilities.json file path


number of times to repeat each benchmark (Default: 1)


report coverage (Default: false)

-d, --data

set policy or data file(s). This flag can be repeated.


disable 'early exit' optimizations (Default: false)


disable indexing optimizations (Default: false)


set paths of documents to exclude from inlining (Default: [])

-e, --entrypoint

set slash separated entrypoint path


enable query explanations (Default: off)


exits with non-zero exit code on undefined/empty result and errors (Default: false)


exits with non-zero exit code on defined/non-empty result and errors (Default: false)

-f, --format

set output format (Default: json)

-h, --help

help for eval (Default: false)


set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])


set query import(s). This flag can be repeated.

-i, --input

set input file path


enable query instrumentation metrics (implies --metrics) (Default: false)


report query performance metrics (Default: false)

-O, --optimize

set optimization level (Default: 0)


set query package

-p, --partial

perform partial evaluation (Default: false)


set limit after which pretty output gets truncated (Default: 80)


perform expression profiling (Default: false)


set number of profiling results to show (Default: 10)


set sort order of expression profiler results. Accepts: total_time_ns, num_eval, num_redo, num_gen_expr, file, line. This flag can be repeated.

-s, --schema

set schema file path or directory path


disable inlining of rules that depend on unknowns (Default: false)


collect and return all encountered built-in errors, built in errors are not fatal (Default: false)


read query from stdin (Default: false)

-I, --stdin-input

read input document from stdin (Default: false)

-S, --strict

enable compiler strict mode (Default: false)


treat the first built-in function error encountered as fatal (Default: false)

-t, --target

set the runtime to exercise (Default: rego)


set eval timeout (default unlimited) (Default: 0s)

-u, --unknowns

set paths to treat as unknown during partial evaluation (Default: [input])


opt-in to OPA features and behaviors that will be enabled by default in a future OPA v1.0 release (Default: false)

Options inherited from parent commands


same as verbose but also show function names and line numbers (Default: false)


path to the Kubernetes config file to use


less verbose output (Default: false)


enable trace logging (Default: false)


more verbose output (Default: false)