Policy Playground

The Policy Playground is an interactive environment for writing, testing, and debugging OPA policies before activating them. It provides instant feedback with real or sample data.

---

Accessing the playground

1. Navigate to Policies > Playground in the left sidebar.
2. Alternatively, click Test in Playground from any policy editor.

---

Layout

The playground has a three-panel layout:

Panel	Purpose
Left — Rego Editor	Write or paste your policy code
Center — Input	JSON input that simulates what the policy will receive
Right — Output	Evaluation result after clicking Evaluate

┌─────────────────┬─────────────────┬─────────────────┐
│                  │                 │                  │
│   Rego Editor    │   Input (JSON)  │   Output         │
│                  │                 │                  │
│   package mayo.  │   {             │   {              │
│   triage         │     "finding":  │     "decision":  │
│                  │     { ... }     │     "accept"     │
│   decision :=    │   }             │   }              │
│   "accept" if {  │                 │                  │
│     ...          │                 │                  │
│   }              │                 │                  │
│                  │                 │                  │
└─────────────────┴─────────────────┴─────────────────┘

---

Loading sample inputs

Instead of writing JSON by hand, you can load real data:

From a finding

1. Click Load from finding above the input panel.
2. Search for a finding by ID, title, or CVE.
3. Select a finding — its full input object is loaded.

From a scan

1. Click Load from scan above the input panel.
2. Select a recent scan.
3. Choose a finding from the scan results.

From templates

1. Click Templates above the input panel.
2. Choose a template for the policy kind you're testing:
   • Triage: finding with CVE, SAST finding, secret detection finding
   • Priority: post-triage finding
   • Ownership: finding with team context
   • Project: GitHub asset, uploaded asset
   • PR Scan: PR with new findings, clean PR

---

Evaluating a policy

1. Write your Rego in the left panel.
2. Set or load an input in the center panel.
3. Click Evaluate (or press Ctrl+Enter / Cmd+Enter).
4. The output panel shows the result.

Successful evaluation

{
  "decision": "accept"
}

No matching rules

If no rules match the input, the output shows only values with explicit defaults:

{}

Info

An empty output means no rule's conditions were satisfied. This is not an error — it means the policy has no opinion about this input.

Validation error

If the Rego code has syntax errors, the output panel shows the error with line numbers:

1 error occurred:
  policy.rego:5: rego_parse_error: unexpected token "="
    decision = "accept"
              ^

---

Batch testing

Test your policy against multiple inputs at once:

1. Click Batch Test in the toolbar.
2. Add multiple input cases, each with an expected output.
3. Click Run All.
4. Results show pass/fail for each case.

┌─────────────────────────────────────────────────────┐
│ Batch Test Results                                    │
├──────────┬────────────┬────────────┬────────────────┤
│ Case     │ Expected   │ Actual     │ Status         │
├──────────┼────────────┼────────────┼────────────────┤
│ Case 1   │ "accept"   │ "accept"   │ ✓ Pass         │
│ Case 2   │ "reject"   │ "reject"   │ ✓ Pass         │
│ Case 3   │ "accept"   │ (none)     │ ✗ Fail         │
└──────────┴────────────┴────────────┴────────────────┘

Save test cases

Batch test cases can be saved alongside the policy. They run automatically when the policy is edited, acting as a regression test suite.

---

Debugging with trace

Enable Trace Mode to see how OPA evaluates your policy step by step:

1. Toggle Trace in the toolbar.
2. Click Evaluate.
3. The output panel shows each rule evaluation with pass/fail:

Enter decision := "accept"
| Enter input.finding.severity == "critical"
| | value: true
| Enter input.finding.cve_id != ""
| | value: true (cve_id = "CVE-2026-1234")
| Exit decision := "accept" (matched)

This is invaluable for understanding why a rule is or isn't matching.

---

Sharing playground sessions

Click Share to generate a link to your current playground state (Rego code + input). Share the link with teammates for review.

Warning

Shared links include the input data. Avoid sharing links that contain sensitive finding data outside your organization.

---

Keyboard shortcuts

Shortcut	Action
Ctrl+Enter / Cmd+Enter	Evaluate
Ctrl+S / Cmd+S	Save policy (if opened from editor)
Ctrl+Shift+F / Cmd+Shift+F	Format Rego code
Ctrl+/ / Cmd+/	Toggle comment

---

Playground vs. production

The playground runs the same OPA engine as production, with one difference:

• print() statements work in the playground for debugging but are stripped in production evaluation.

This means if your policy works in the playground, it will work in production.

---

Next steps

• Writing Rego — Rego syntax reference
• Policy best practices — patterns for effective policies
• Getting started — create your first policy