Opal Overview
Opal is Lacework FortiCNAPP’s IaC static analyzer based on the OPA framework and Rego language. Opal evaluates infrastructure as code (IaC) files for potential AWS, Azure, Google Cloud, and Kubernetes security and compliance violations prior to deployment.
Opal’s default policies incorporate CIS AWS, Azure, Google Cloud, and Kubernetes Foundations Benchmarks so you can assess compliance posture. You can also create your own custom policies in Rego and have Opal run them on future scans. Creating custom Opal policies requires the Lacework FortiCNAPP CLI. For more information, go to Get Started with Opal.
Opal supports the following IaC frameworks:
| Framework | Format |
|---|---|
| Azure Resource Manager (ARM) | JSON |
| CloudFormation | JSON, YAML |
| Kubernetes | YAML |
| Terraform | HCL, JSON Plan |
Opal is part of the IaC component within the Lacework FortiCNAPP CLI. The Lacework FortiCNAPP CLI works with CI/CD tools such as Jenkins, Circle CI, and AWS CodePipeline.
How Opal Works
Opal integrates into the Lacework FortiCNAPP CLI and Code Security App. To understand how to use Opal and run scans with the CLI, go to Get Started with Opal. Opal converts an IaC file into a data structure to evaluate Rego policies before Opal returns the results in the CLI. Opal supports multiple formats for CI/CD based integrations such as JSON and JUnit.XML. You can enable or disable policies in the Lacework FortiCNAPP Console or by editing the config.yaml file in your repository.
With the Lacework FortiCNAPP CLI, you can integrate Opal into existing CI/CD pipelines. Beyond the standard CLI output, Opal supports JSON and JUnit.XML.