Interview › Security & DevSecOps
What is policy-as-code, and what tools implement it (OPA, Sentinel, Kyverno)? [Intermediate]
Answer
Policy-as-code means security, compliance, and operational rules are written as versioned, testable code and enforced automatically. Tools include OPA/Rego, HashiCorp Sentinel, Kyverno, Conftest, Checkov, tfsec, and cloud-native policy engines.
Technical explanation
Policy-as-code gives repeatable enforcement across CI, IaC review, admission control, and audits.
Policies should be version-controlled, peer-reviewed, tested, and released like application code.
Good policies include clear failure messages and remediation guidance to reduce developer friction.
Hands-on example
Example policy lifecycle: write a rule that denies public S3 buckets, add unit tests for allowed/denied Terraform examples, run it in PR with conftest or Checkov, enforce it in Terraform Cloud/Sentinel, and verify deployed cloud resources with CSPM.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]