Policy checks in the flow
Conftest/OPA gating applies.
Atlantis has native policy checking that gates applies on OPA/Conftest policies. With policy checks enabled, after the plan step Atlantis evaluates your Rego policies against the plan and, if a mandatory policy fails, blocks apply until either the code is fixed or an authorized owner approves the policy failure. This puts the guardrails from the OPA and Checkov courses directly in the Terraform PR flow, enforced by the same server that runs the apply.
policies:owners:users: [security-lead] # who may approve a policy failurepolicy_sets:- name: iac-guardrailspath: /policies # Rego policies (deny rules) run against the plansource: local# a failing mandatory policy blocks `atlantis apply` until fixed or owner-approved
Policy as a first-class gate
The difference from just running a scanner in CI is that Atlantis makes the policy result a gate on the apply it controls, with an approval path owned by the right people. A public bucket or an open security group in the plan fails the policy, the apply is blocked, and only a designated policy owner can approve the exception — recorded in the PR. This is defense in depth: policy at the exact moment of change, enforced by the tool that holds the credentials.
Policy Check Failed: iac-guardrailsdeny: aws_s3_bucket.assets is public without approvalapply is blocked. Fix the plan, or have a policy owner approve.