The same policy engine
keeps running after deploy.
Compliance is enforced at the gate, audited in live infrastructure, and turned into dashboards and reports from one OPA/Rego system instead of a stack of separate tools.
91% control coverage across 34 monitored projects, with one blocking violation stopped before deploy and three live issues awaiting review.
The same policy engine blocks bad deploys and audits live state.
ops0 does not split compliance into separate products. The same OPA/Rego engine that evaluates Terraform plans before deploy also scans already-running infrastructure after deploy.
- Pre-deployment policy checks catch violations before resources are created
- State-based scans audit infrastructure that is already live
- One rule engine means one source of truth instead of parallel policy systems
Compliance shows up before audit time.
Plan JSON runs through organization-defined Rego policies before approval. Violations can warn or block, and teams see the issue while the change is still easy to fix.
- Policy checks run before apply starts
- Blocking and non-blocking findings are clearly separated
- Useful for encryption, exposure, tagging, IAM, and change-control rules
Already-running infrastructure stays under review.
Compliance does not end when the apply succeeds. ops0 scans deployed resources against attached policy groups at any time, so drift and legacy gaps do not hide until the next audit.
- Scans can run independently from deployment events
- Manual console changes are pulled back into the compliance view
- Useful for legacy estates and long-lived infrastructure that predates current policy
Built-in frameworks, not a blank policy editor.
ops0 ships with 27+ frameworks and 47 fully defined SOC 2 controls, so teams can start from real coverage instead of writing every policy from scratch.
- SOC 2, ISO 27001, CIS, HIPAA, GDPR, PCI-DSS, STIG, and more
- SOC 2 controls grouped across governance, access, hardening, monitoring, and incident response
- Cross-mapping helps teams align one control system to multiple frameworks
Auditors get proof, not a scramble.
ops0 produces shareable snapshot reports and executive dashboards from the same compliance data that drives the engine. The audit story is already assembled while the work is happening.
- Password-protected share links with frozen point-in-time posture
- PDF export, report IDs, access logging, and revocation controls
- Executive dashboards communicate posture without requiring platform access
Misconfigurations can be caught before the plan too.
Checkov scanning adds authoring-time security to Terraform and OpenTofu files, so infrastructure issues can be surfaced even before a deployable plan exists.
- Background scanning for IaC file vulnerabilities and misconfigurations
- Findings persist with severity and remediation context
- Complements OPA plan checks instead of replacing them
The same posture
should reach runtime too.
After compliance, the next surface is Kubernetes: incidents, costs, vulnerabilities, certificates, and IaC linkage in one operating view.
