Chapters
Try It For Free
July 14, 2026

Compliance Without Complexity: Introducing Harness Rego Policy Packs
| Harness Blog

In the fast-paced world of modern software delivery, compliance is often a bottleneck. While our existing OPA-based Policy as Code feature has long empowered teams to encode complex authorization checks and enforce granular governance across their DevOps workflows, we know that starting from a blank page can be daunting. Security and governance teams struggle to keep up with the volume of releases, while developers often find the initial setup of these policies to be time-consuming.

Today, we are thrilled to announce a significant leap forward in automated governance: Policy Packs.

What Are Policy Packs?

Policy Packs are a curated library of pre-written Rego policies designed to align your software delivery lifecycle (SDLC) with the most popular compliance frameworks.

By providing out-of-the-box policies, we are eliminating the primary barrier to automated governance: the need to write and maintain complex Rego code from scratch. With Policy Packs, you can adopt industry-standard guardrails by adapting our out of the box policies from the policy packs with zero to little customization. This will allow your teams to focus on shipping features rather than writing policy.

Comprehensive Framework Coverage

Our Policy Packs initiative covers the frameworks that matter most to your business and your auditors:

  • SOC 2: Focuses on trust service criteria like security, availability, and processing integrity. Our policies help enforce peer-reviewed pull requests and automated change management gates.
  • NIST: Specifically targeting SP 800-53 and 800-171, these policies cover configuration management, system integrity, and supply chain risk management via automated SBOM generation and SLSA provenance.
  • PCI DSS: Designed for organizations handling payment card data, these policies enforce secrets management, network segmentation, and mandatory vulnerability patching.
  • HIPAA & HITRUST: For those dealing with protected health information (PHI), these packs provide automated data leakage prevention and secure API monitoring.

Turning Framework Requirements into DevOps Controls

Compliance is no longer just a "point-in-time" audit; it’s a continuous process. Policy Packs map technical events directly to framework controls, providing the evidence your GRC teams and auditors need.

Compliance Framework Control Domain DevOps Implementation OPA/Rego Policy Evidence
NIST Special Publication 800-53 Configuration Management (CM) Policy checks in CI/CD pipelines, Infrastructure as Code (IaC) validation Rego policies deny infrastructure changes that do not meet approved configuration baselines, such as missing required resource tags, unapproved regions, or insecure defaults.
NIST Special Publication 800-53 Access Control (AC) Least-privilege IAM automation and Kubernetes admission controls Rego policies prevent deployments that create excessive permissions, require approved IAM roles, and block publicly accessible resources.
SOC 2 Change Management (CC8.1) Pull request reviews, protected branches, CI/CD approval gates, and deployment traceability Rego policies verify that production changes include peer approvals, linked tickets, successful pipeline checks, and required metadata before release.
SOC 2 Logical Access Controls (CC6.1) Automated identity provisioning, role-based access control (RBAC), and secrets management integration Rego policies prevent excessive privileges and block workloads using unmanaged credentials.
Health Insurance Portability and Accountability Act (HIPAA) Access Control (§164.312(a)) API authorization controls, workload identity, and protected health information (PHI) access enforcement Rego policies deny unauthenticated or unauthorized API requests, require approved FHIR resource access patterns, and enforce encryption requirements for PHI workflows.
Health Insurance Portability and Accountability Act (HIPAA) Audit Controls (§164.312(b)) Centralized logging, immutable audit trails, and security event monitoring Rego policies require audit logging configuration on services handling PHI and block deployments without required monitoring integrations.
Payment Card Industry Data Security Standard (PCI DSS) Vulnerability Management (Requirement 6) Automated dependency scanning, container image scanning, and security checks integrated into CI/CD Rego policies deny deployments containing critical or high-severity vulnerabilities, unsupported software versions, or unapproved container images.
Payment Card Industry Data Security Standard (PCI DSS) Secure Configuration (Requirement 2) Hardened container images, secure cloud configurations, and automated infrastructure checks Rego policies enforce secure baseline configurations, disable insecure services, and require approved encryption and network settings.
ISO/IEC 27001 Asset Management (A.5.9) Automated asset inventory, cloud resource discovery, and IaC governance Rego policies prevent unmanaged resources from being deployed and require ownership metadata on infrastructure assets.
CIS Critical Security Controls Secure Configuration of Enterprise Assets (Control 4) Kubernetes policy enforcement, cloud security posture management, and automated compliance checks Rego policies block insecure configurations such as privileged containers, open security groups, and missing security contexts.

Common Compliance Challenges in DevOps

In our work with industry leaders, like those in highly regulated industries such as healthcare, finance, or insurance, we’ve seen that compliance is often a manual, high-friction process that slows down software delivery. Two of the most common challenges teams face are:

  • The "audit readiness" blind spot: Teams often struggle to prove that their pipelines are consistently secure. Without automated guardrails, compliance is only checked during point-in-time audits, leaving gaps that are hard to identify and remediate.
  • The manual approval bottleneck: Many organizations rely on manual checkpoints to satisfy framework requirements. This frustrates developers who want to move fast, leading to "compliance fatigue" where processes are bypassed or ignored.

Harness Policy Packs address these challenges by shifting governance left, embedding compliance checks directly into your CI/CD pipelines so that validation happens automatically with every commit.

Example Policy: Enforcing Separation of Duties

A classic requirement for frameworks like SOC 2 and NIST is "Separation of Duties." In a modern DevOps workflow, this means the person who writes and commits the code cannot be the same person who approves the deployment to production.

To enforce this, a compliance policy in your pipeline would verify the identity of the commit author against the identity of the deployment approver. If the system detects that the author and the approver are the same individual, the policy automatically blocks the deployment. This ensures that every production change has been independently peer-reviewed, providing auditors with a tamper-proof guarantee that your internal controls are working as intended without requiring manual intervention from your GRC team.

Why This Matters

  1. Shift governance left: Catch violations before they ever reach production by enforcing policies during the save, run, or step phases of your pipeline.
  2. Accelerate audit readiness: Move from "preventing risk" to "proving compliance" with a tamper-proof evidence vault that stores all builds, scans, and approvals.
  3. Reduce risk: Mitigate legal and audit risks by using policies that are directly mapped to specific framework controls.
  4. Universal coverage: Whether you are using CI, CD, Feature Management, or Cloud & AI Cost Management, our one framework provides cross-module coverage across the entire platform.

Get Started Today

The journey to automated compliance doesn't have to start with a blank page. Get access to our policy packs in the repository here to get started. You can leverage our native Git integration for OPA rego policies to fork the policies from the repository linked above and import them into your account.  

Get ready to stop audit delays before they start. 

Abhijit Pujare

Abhijit Pujare is a Senior Product Manager at Harness, where he leads product strategy and execution for developer productivity and software delivery solutions.

Vishal Vishwaroop

Vishal Vishwaroop is a senior Developer Relations Engineer.

Similar Blogs

Continuous Delivery & GitOps