OPA Policy Engine

GCP Compliance as Code. No Rego expertise required.

CloudXero's Policy Engine runs Open Policy Agent against your GCP environment using the CIS Google Cloud Foundations Benchmark v2.0 — automatically, on every Terraform generation, with plain-English remediation for every violation.

Fugue's Regula was the best GCP compliance tool. Snyk killed it.

When Snyk acquired Fugue in 2023, Regula — the most capable open-source GCP compliance-as-code tool — was quietly deprecated. The gap it left is real: most teams are back to manual CIS checklists or expensive enterprise tools that take months to deploy.

CloudXero fills that gap. You get Regula-level power (OPA + Rego, CIS GCP v2.0, Terraform gate) with a no-code interface that works for the whole team — not just the one person who knows Rego.

From GCP project to compliance score in seconds

STEP 01

Connect your GCP project

CloudXero reads your resource configuration — compute instances, firewall rules, Cloud SQL, GKE clusters, storage buckets — via a read-only service account.

STEP 02

OPA evaluates against CIS GCP v2.0

25+ OPA-compatible Rego policies from the CIS Google Cloud Foundations Benchmark v2.0 are evaluated against your resource snapshot in milliseconds.

STEP 03

Violations surface with CIS control IDs

Each finding is tagged with its CIS control ID, severity, affected resource type, and a plain-English remediation hint — no Rego knowledge required.

STEP 04

Terraform gate catches issues before deploy

Every Terraform generation is automatically scanned. CIS violations appear as an inline panel with control IDs and fix instructions — before you commit a single line.

Every finding shows its Rego source

Unlike black-box scanners, CloudXero shows you the exact Rego policy that fired on your environment. Click any violation to see the Rego source, understand the logic, and know exactly what to fix.

For GCP architects and security engineers who know Rego, this is the foundation for building your own custom policies in the Rego Editor.

25+ CIS GCP v2.0 Rego policies included
cloudxero.cis_3_6 — Rego SourceLIVE
package cloudxero.cis_3_6

import future.keywords.if

# CIS 3.6 — Ensure SSH access is restricted
deny[msg] if {
  resource := input.resources[_]
  resource.type == "google_compute_firewall"
  rule := resource.values.allow[_]
  rule.ports[_] == "22"
  resource.values.source_ranges[_] == "0.0.0.0/0"
  msg := sprintf(
    "Firewall '%v' allows SSH from 0.0.0.0/0",
    [resource.name]
  )
}

Start with CIS. Grow to your full compliance posture.

PCI-DSS, SOC 2, and NIST 800-53 frameworks are on the roadmap. Enterprise customers get custom Rego bundles.

CIS GCP v2.0Live
Google Cloud Architecture FrameworkLive
PCI-DSS v4 (GCP)Coming
SOC 2 Type II (GCP)Coming
NIST 800-53 (GCP)Coming
Custom Rego bundlesEnterprise

Start free. Scale when you need it.

Free
  • CIS GCP Foundations v2.0 evaluation
  • Up to 3 evaluations / month
  • Violation list with remediation hints
  • Compliance score ring
Pro
  • Everything in Free
  • Unlimited evaluations
  • Terraform policy gate on every generation
  • Violation suppression with expiry
  • PDF compliance report export
  • CIS section drill-down
Enterprise
  • Everything in Pro
  • Custom Rego policy bundles
  • PCI-DSS, SOC 2, NIST 800-53 frameworks
  • Policy-as-code CI/CD gate
  • Audit-ready PDF with control evidence
  • SSO + team-level policy management

We use analytics cookies to understand how visitors use CloudXero and improve the experience. No personal data is sold or shared with third parties.