Skip to main content
Home/Glossary/Policy as Code

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

DevSecOpsAlso called: "pac", "guardrails", "policy automation"

Policy as Code transforms written policies into executable code, enabling automated enforcement across infrastructure and applications.

Policy as Code tools

  • Open Policy Agent (OPA): General-purpose policy engine, Rego language.
  • HashiCorp Sentinel: Terraform Enterprise policy framework.
  • AWS CloudFormation Guard: Validate CloudFormation templates.
  • Azure Policy: Built-in Azure governance.
  • Kyverno: Kubernetes-native policy engine.

Use cases

  • Infrastructure: Block public S3 buckets, require encryption.
  • Kubernetes: Enforce pod security, require resource limits.
  • CI/CD: Gate deployments on policy compliance.
  • Cost control: Limit instance sizes, require tags.
  • Compliance: Enforce CIS benchmarks, regulatory requirements.

Integration points

  • Pre-commit: Validate before code is committed.
  • CI/CD: Check during pull request and deployment.
  • Admission control: Enforce at Kubernetes API level.
  • Runtime: Continuous compliance monitoring.

Benefits

  • Consistent policy enforcement across environments.
  • Version control and peer review for policy changes.
  • Automated testing of policy logic.
  • Self-service within guardrails.
  • Audit trail of policy decisions.

Best practices

  1. Start with high-impact policies (security, cost).
  2. Provide clear violation messages with remediation guidance.
  3. Test policies against real configurations before enforcement.
  4. Implement exception workflows for legitimate edge cases.
  5. Version policies alongside infrastructure code.

Related Tools

Related Articles

View all articles
📄

Incident Management Tools: The Complete Guide for 2026

From on-call scheduling to status pages to postmortems — a comprehensive guide to the tools that power modern incident management, with honest comparisons and pricing.

Read article →
📄

Best Atlassian Statuspage Alternatives: Status Page Tools Compared

Atlassian Statuspage is the default choice for hosted status pages, but pricing adds up fast. We compare the best alternatives for teams of every size.

Read article →
📄

Best PagerDuty Alternatives in 2026: Features, Pricing, and Who They're For

PagerDuty is the market leader in on-call management, but it's not the only option. We compare the best alternatives — from budget-friendly to enterprise-grade.

Read article →
📄

Blameless Postmortem Template: How to Run Post-Incident Reviews That Actually Improve Things

A practical guide to blameless postmortems — including a ready-to-use template, facilitation tips, and how to turn incident data into lasting improvements.

Read article →

Explore More DevSecOps

View all terms

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

Read more →

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary