Skip to main content


The Open Policy Containers project makes it easy to build Open Policy Agent policies into OCI images.

A policy that is packaged as an OCI image can be tagged just like any container image. It can also be signed using tools like cosign.

To get started you need two things:

  • The policy CLI, which is used to manage policy images, and is modeled after docker
  • A container registry that supports pulling and pushing artifacts of the OCI media type (application/vnd.oci.image.config.v1+json)

Container registries that policy has been tested with include:

  • AWS Elastic Container Registry (
  • Docker Hub (
  • GitHub Container Registry (
  • Google Container Registry (
  • Open Policy Container Registry (

Getting Started

Download the CLI

To get started, you'll need to download the policy CLI.


Follow our 5 minute tutorial to get a flavor for what policy can do for you.