OPA ends up on the critical path of more decisions than almost anything else you run: Kubernetes admission, service authorization, CI/CD gating. DepKeep keeps that policy layer patched, performant, and well-understood, with responsive security fixes, long-term support, and engineers who read Rego fluently.
We don't speak for the OPA project; it's a healthy, well-run community. What we provide is the responsive, accountable support, patching, and expertise the volunteer model isn't designed to provide, for teams that need it.
A second set of eyes that reads Rego fluently. We review policy for correctness and over-permissiveness, build out test coverage with opa test, and leave you a style the next engineer can follow.
Exposure covers more than OPA itself: Gatekeeper, the Go toolchain, base images, and the bundle machinery around it. We triage advisories across the whole tree and ship a patched build with clear response targets.
Stay on the OPA version your environment is validated against and still receive security and critical bug fixes — so you modernise on your timeline, not upstream's.
The move to Rego v1 is trivial for ten lines and genuinely involved for a mature policy library. We plan and execute the migration, validated against your real decision inputs, not just "it parses now."
Bundle and data refresh strategy, partial evaluation, decision-log volume, and the latency budget OPA adds to every guarded request. Getting these right is what keeps OPA invisible instead of becoming your tail latency.
A named DepKeep engineer who knows your policy library and deployment topology, reachable directly — reducing the bus-factor risk of OPA expertise sitting with one or two people.
We map where OPA sits on your critical path — admission control, service authorization, CI/CD gating — and review your Rego library and bundle distribution for risk and over-permissiveness.
We agree a coverage plan: which versions are in scope, your CVE-response targets across OPA, Gatekeeper, and the dependency tree, and a test/validation baseline for policy changes.
New advisories are triaged promptly after disclosure, backported to your supported version, tested, and delivered as a patched build with full change documentation.
Policy review, performance tuning, and migration planning on call — including the Rego v0 → v1 transition — so OPA stays safe and well-understood as your stack evolves.
OPA or Gatekeeper deciding which workloads are even allowed to run. When the policy is wrong or the controller is down, deployments stop, or worse, the wrong things get through.
Sidecar or library, deciding what each request can do across a fleet of services. A subtly over-permissive rule here is exactly the kind of finding that surfaces in an audit.
Gating Terraform plans, container images, and deployment manifests against policy. OPA on the release path means policy correctness is now a delivery-velocity concern.
Shaping what each caller is permitted to see. Latency and partial-evaluation choices here land on every request, making operability as important as correctness.
Browse project health pages for CVE history, release cadence, and support options.
How we think about running Open Policy Agent in production, and the operational reality teams underestimate.
Tell us where OPA sits in your stack. We'll come back with a scoped proposal within one business day.