ec opa test

Execute Rego test cases


Execute Rego test cases.

The 'test' command takes a file or directory path as input and executes all test cases discovered in matching files. Test cases are rules whose names have the prefix "test_".

If the '--bundle' option is specified the paths will be treated as policy bundles and loaded following standard bundle conventions. The path can be a compressed archive file or a directory which will be treated as a bundle. Without the '--bundle' flag OPA will recursively load ALL *.rego, *.json, and *.yaml files for evaluating the test cases.

Test cases under development may be prefixed "todo_" in order to skip their execution, while still getting marked as skipped in the test results.

Example policy (example/authz.rego):

package authz
import future.keywords.if
allow if {
	input.path == ["users"]
	input.method == "POST"
allow if {
	input.path == ["users", input.user_id]
	input.method == "GET"

Example test (example/authz_test.rego):

package authz_test
import data.authz.allow
test_post_allowed {
	allow with input as {"path": ["users"], "method": "POST"}
test_get_denied {
	not allow with input as {"path": ["users"], "method": "GET"}
test_get_user_allowed {
	allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "bob"}
test_get_another_user_denied {
	not allow with input as {"path": ["users", "bob"], "method": "GET", "user_id": "alice"}
todo_test_user_allowed_http_client_data {
	false # Remember to test this later!

Example test run:

$ opa test ./example/

If used with the '--bench' option then tests will be benchmarked.

Example benchmark run:

$ opa test --bench ./example/

The optional "gobench" output format conforms to the Go Benchmark Data Format.

The --watch flag can be used to monitor policy and data file-system changes. When a change is detected, OPA reloads the policy and data and then re-runs the tests. Watching individual files (rather than directories) is generally not recommended as some updates might cause them to be dropped by OPA.

ec opa test <path> [path [...]] [flags]



benchmark the unit tests (Default: false)


report memory allocations with benchmark results (Default: true)

--b, --bundle

load paths as bundle files or root directories (Default: false)


set capabilities version or capabilities.json file path


number of times to repeat each test (Default: 1)

--c, --coverage

report coverage (overrides debug tracing) (Default: false)

--z, --exit-zero-on-skipped

skipped tests return status 0 (Default: false)


enable query explanations (Default: fails)

--f, --format

set output format (Default: pretty)

--h, --help

help for test (Default: false)


set file and directory names to ignore during loading (e.g., '.*' excludes hidden files) (Default: [])

--m, --max-errors

set the number of errors to allow before compilation fails early (Default: 10)

--r, --run

run only test cases matching the regular expression.

--s, --schema

set schema file path or directory path

--t, --target

set the runtime to exercise (Default: rego)


set coverage threshold and exit with non-zero status if coverage is less than threshold % (Default: 0)


set test timeout (default 5s, 30s when benchmarking) (Default: 0s)

--v, --verbose

set verbose reporting mode (Default: false)

--w, --watch

watch command line files for changes (Default: false)

Options inherited from parent commands


same as verbose but also show function names and line numbers (Default: false)


path to the Kubernetes config file to use


less verbose output (Default: false)


enable trace logging (Default: false)

See also

  • ec opa - Open Policy Agent (OPA) (embedded)