Minimum compatible Open Policy Agent (OPA) version, or mcov for short, is a tiny tool that, as the name implies, reports the minimum compatible OPA version for any given Rego files you point it at. This can be used to:
- Ensure that your policies are compatible with the OPA version you are running in production
- Check the impact on version requirements for any given change to policy
- That's it! There's literally nothing more to see
$ mcov policies/
v0.37.0Note that not all features of Rego that have been added over time — or changes made to existing ones — are possible to track using capabilities alone. Use the version reported by mcov as a starting point — not as a replacement for testing compatibility!
Below lists additions to the Rego language, as presented in the OPA capabilities file for each version. Features that may have an impact on the minimum compatible OPA version but are not covered by capabilities are mentioned separately.
New built-in functions
strings.count
Not covered by capabilities
- Using a keyword, like
contains, as a rule name, is now a parser error whenrego.v1is imported
New built-in functions
json.marshal_with_options
New built-in functions
crypto.x509.parse_and_verify_certificates_with_options
Features
import rego.v1(rego_v1_import)
Features
- Support for General References in Rule Heads (
rule_head_refs)
Not covered by capabilities
- Short form
elsebodies
New built-in functions
numbers.range_step
New built-in functions
crypto.parse_private_keys
Not covered by capabilities
- Honor
defaultkeyword on functions
New built-in functions
crypto.x509.parse_keypair
New built-in functions
crypto.hmac.equal
New built-in functions
json.verify_schemajson.match_schema
New built-in functions
time.format
New built-in functions
object.keysproviders.aws.sign_req
Features
- Refs in rule heads (
rule_head_ref_string_prefixes)
New built-in functions
graphql.schema_is_validnet.cidr_is_valid
Not covered by capabilities
- Entrypoint annotation
with: Allow replacing functions with rules
New built-in functions
regex.replace
New built-in functions
strings.any_prefix_matchstrings.any_suffix_match
Not covered by capabilities
- All
is_validfunctions made to return boolean false rather than throw errors
Future keywords
containsif
New built-in functions
object.subset
New built-in functions
graphql.is_validgraphql.parsegraphql.parse_and_verifygraphql.parse_querygraphql.parse_schemaunits.parse
New built-in functions
rego.metadata.chainrego.metadata.rule
Not covered by capabilities
- Function mocking
- Assignment with
:=allowed in all locations (rule heads, functions, object generating rules)
Future keywords
every
Not covered by capabilities
- Metadata annotations
New built-in functions
object.union_ngraph.reachable_pathsindexof_n
Not covered by capabilities
object.get: accepting path argument as array
New built-in functions
crypto.hmac.md5crypto.hmac.sha1crypto.hmac.sha256crypto.hmac.sha512array.reversestrings.reverse
Miscellaneous
allow_netcapability added
New built-in functions
net.lookup_ip_addr
Future keywords
in
New built-in functions
internal.member_2(inoperator)internal.member_3(inoperator)print
New built-in functions
crypto.x509.parse_rsa_private_key
New built-in functions
crypto.x509.parse_and_verify_certificatesrand.intn
New built-in functions
time.diff
New built-in functions
ceilfloor
New built-in functions
base64url.encode_no_padhex.encodehex.decodejson.patchjson.is_validyaml.is_valid
New built-in functions
base64.is_validnet.cidr_mergeurlquery.decode_object
New built-in functions
regex.is_valid
New built-in functions
numbers.rangesemver.is_validsemver.compare
For questions, discussions and announcements related to Styra products, services and open source projects, please join the Styra community on Slack!