Skip to content

Update openpolicyagent/opa Docker tag to v1.15.2#1575

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/openpolicyagent-opa-1.x
Open

Update openpolicyagent/opa Docker tag to v1.15.2#1575
renovate[bot] wants to merge 1 commit intomainfrom
renovate/openpolicyagent-opa-1.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 24, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
openpolicyagent/opa (source) stage minor 1.2.01.15.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

open-policy-agent/opa (openpolicyagent/opa)

v1.15.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.26.2.
This version of Go contains multiple security fixes.

v1.15.1

Compare Source

This patch release fixes a backwards-incompatible change in the v1/logging.Logger interface that inadvertently made it into Release v1.15.0.
When using OPA as Go module, and when providing custom Logger implementations, this change would break your build.

[!TIP]
Users of the binaries or Docker images can ignore this, the code is otherwise the same as v1.15.0.

Miscellaneous
  • logging: make WithContext() optional (authored by @​srenatus)

v1.15.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Add logger plugin interface and file logger implementation with log rotation
  • Custom HTTPAuthPlugin behavior change, all per-request authentication logic must be moved from NewClient() to
    Prepare()
  • AWS signing supports for web identity for assume role credentials
Logger Plugin Support (#​8434) (authored by @​srenatus)

OPA now supports pluggable logging implementations via the logger plugin interface, which is based on Go's standard log/slog.Handler interface. This allows any slog.Handler implementation to be used as a logger plugin. Loggers can be configured via the server.logger_plugin configuration option and used for both runtime logging and decision logs. OPA includes a built-in file logger plugin (file_logger) that writes structured JSON logs with rotation support using lumberjack. Users can also implement and register custom logger plugins when building OPA.

Example configuration for server logging:

server:
  logger_plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info

Example configuration for decision logs using the same plugin:

server:
  logger_plugin: file_logger

decision_logs:
  plugin: file_logger

plugins:
  file_logger:
    path: /var/log/opa/server.log
    max_size_mb: 100
    max_age_days: 28
    max_backups: 3
    compress: true
    level: info
Custom HTTPAuthPlugin behavior change (#​8376) (authored by @​srenatus)

The HTTPAuthPlugin.NewClient() method is now called once per Client instance and cached rather than being called for
every request. Custom plugins that performed per-request operations in NewClient() (such as request counters,
per-request transport wrapping, or logging/metrics side effects) will now only execute those operations once. All
per-request authentication logic must be moved from NewClient() to Prepare(). All plugins included in OPA have been
updated and are unaffected by this change.

Runtime, SDK, Tooling
  • plugins/logger: Add logger plugin interface and file logger implementation with log rotation (#​8434) (authored by
    @​srenatus)
  • plugins/logs: Decision logs can now use logger plugins for output (#​8434) (authored by @​srenatus)
  • logging: Add BufferedLogger to capture early startup logs before plugins are initialized (#​8434) (authored by
    @​srenatus)
  • plugins/rest: Configurable re-read interval for TLS client certificates via cert_reread_interval_seconds field.
    Defaults to re-reading on every request for backwards compatibility.
    The implementation also uses content hashing to detect changes and avoid re-parsing unchanged TLS certificates and
    keys. (#​8376) (authored by @​srenatus)
  • plugins/rest: All TLS configurations now inherit the minimum version and TLS ciphersuites as configured for the
    server. (#​8376) (authored by @​srenatus)
  • internal/providers/aws: Refactor deprecated crypto/elliptic APIs to crypto/ecdh (#​8395) (authored by @​kanywst)
  • plugins/rest: AWS Signing - Allow Service Account (Web Identity) credentials for Assume Role Credentials (#​8386) (
    authored by @​tiagogviegas)
Compiler, Topdown and Rego
  • ast: fix overlapping array and scalar pattern in rule index (authored by @​srenatus)
Bundles
Docs, Website, Ecosystem
Miscellaneous

v1.14.1

Compare Source

This is a patch release collecting two bug fixes and various dependency updates for Golang standard library and common package vulnerabilities.

These bug fixes include a revert of the rule indexer tweaks shipped in 1.14.0, which had caused unexpected lookup failures for some users. (We expect to properly fix the issue in 1.15.0, but for now, a revert is the quicker choice.)

Changes
  • Fix intermittent plugins manager deadlock on opa.configure (#​8407)
  • Revert "ast: make rule index track var assignments and x in {...} (#​8341)" (#​8410)
  • build: bump deps (go.mod from main)
  • build: bump go 1.26.1 (#​8409)

v1.14.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Improved rule indexing of variable assignments and x in {...} expressions
  • Support for --h2c with unix domain socket for opa run
  • A new glossary tooltip for technical terms in the docs
  • Fixes published in the v1.13.1 and v1.13.2 releases
Improved rule indexing of variable assignments and x in {...} expressions (#​1841)

With this change, the rule indexer will index expressions like:

allow if input.role in {"admin", "user"}

On lookup, the rule body will only be returned if input.role is either one of "admin" or "user".

The reverse case is also indexed:

allow if "admin" in input.roles

in which the searched collection is unknown.

Authored by @​srenatus reported by @​nischalsheth

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous
  • maintainers: Moving nilekhc to emeritus, and renew maintainer terms (#​8276) authored by @​JaydipGabani
  • ast: Add public method to extend the compliance test cases with IR plans (#​7556) authored by @​sspaink reported by @​shomron
  • ast: Tiny nitpicky cleanup (#​8309) authored by @​srenatus
  • chore: Clean up bundle storage tests (#​8267) authored by @​anderseknert
  • chore: Remove unnecessary comment from bundle JWT verification impl (#​8354) authored by @​johanfylling
  • ci: Bump golangci-lint (v2.9.0), fix issues (#​8314) authored by @​srenatus
  • ci: Harden and update all GH Actions workflows (#​8356, #​8377, #​8368 authored by @​philipaconrad and @​srenatus
  • go: Cleanup old build flags (#​8314) authored by @​srenatus
  • rego: Remove superfluous package import of plugins (#​6754) authored by @​srenatus reported by @​oxisto
  • tests: Extract runtime Info to new package (#​8362) authored by @​charlieegan3
  • tests: Fix BenchmarkFunctionArgumentCounts query (#​8327) authored by @​alex60217101990
  • tests: Disable rule indexing for benchmark (#​8375) authored by @​srenatus
  • workflows: Add nightly vuln checks for released versions/images (#​8336 #​8339) authored by @​srenatus
  • Dependency updates; notably:
    • build: bump golang from 1.25.6 to 1.26.0
    • build(deps): build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0
      Applying fix for GHSA-9h8m-3fm2-qjrq
    • build(deps): bump github.com/dgraph-io/badger/v4 from 4.9.0 to 4.9.1
    • build(deps): bump github.com/huandu/go-sqlbuilder from 1.39.0 to 1.39.1
    • build(deps): bump golang.org/x/net from 0.49.0 to 0.50.0
    • build(deps): bump golang.org/x/text from 0.33.0 to 0.34.0
    • build(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1
    • build(deps): bump go.opentelemetry.io deps from 1.39.0/0.64.0 to 1.40.0/0.65.0

v1.13.2

Compare Source

This release updates the version of Go used to build the OPA binaries and images to 1.25.7.
That version of the Go standard library contains a fix for GO-2026-4337.

v1.13.1

Compare Source

This bug fix release addresses an issue found in the new array.flatten built-in function

v1.13.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • A new immediate upload trigger mode
  • A new array.flatten built-in function
  • Numerous performance improvements
Immediate Upload Trigger Mode in Decision Logger (#​8110)

An immediate trigger mode has been added to the Decision Logger; enabled by setting the decision_logs.reporting.trigger configuration option to immediate.
When enabled, log events are pushed to the log service as soon as the configured upload chunk size criteria is met; or, at latest, when the configured upload delay is reached.

Authored by @​sspaink

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Performance
Docs, Website, Ecosystem
Miscellaneous
  • Decoupled the Rego job check from the Go job checks in the Github PR workflow (#​8203) authored by @​SeanLedford
  • build: Format pr_check.rego with opa fmt (#​8201) authored by @​thevilledev
  • build: Migrate PR check to OPA policy (#​8183) authored by @​SeanLedford
  • build: Run go get against main to spot redacted (#​8146) authored by @​charlieegan3
  • deps: Switch to maintained go.yaml.in/yaml/v3 yaml library (#​8182) authored by @​mrueg
  • test/cases: Increase yaml test coverage for some regex and string builtins (#​8152) authored by @​srenatus
  • Dependency updates; notably:
    • build: bump golang from 1.25.5 to 1.25.6 (#​8224) authored by @​srenatus
    • build(deps): bump go.opentelemetry.io deps from 1.38.0/0.63.0 to 1.39.0/0.64.0
    • build(deps): bump klauspost/compress from v1.18.1 to v1.18.2 (#​8184) authored by @​srenatus
      because of redaction warning
    • build(deps): bump github.com/go-ini/ini from v1.67.0 to gopkg.in/ini.v1 v1.67.1 (#​8208) authored by @​gabrpt

v1.12.3

Compare Source

This is a bug fix release addressing two issues:

Bundle polling is being misconfigured when discovery bundle is updated (#​8215)

This is an issue where the polling interval for discovery (discovery.polling.min_delay_seconds and
discovery.polling.max_delay_seconds) were misinterpreted on reconfiguration, causing extremely long update intervals.

Reported by @​loganmiller-chime, authored by @​sspaink

Decision log size buffer

buffer_size_limit_bytes misconfigured during reconfiguration (#​8213)

This is a regression in the decision log, where the decision_logs.reporting.buffer_size_limit_bytes was mistakenly
assigned the value of decision_logs.reporting.upload_size_limit_bytes during reconfiguration.
This issue is only present when decision_logs.reporting.buffer_type is set to size, which is the default value.

Authored by @​sspaink

v1.12.2

Compare Source

This bug fix release address issues found in the new string interpolation feature

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

  • Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • Support for string interpolation in the Rego language
  • Faster compilation and runtime
  • Fixes published in the v1.11.1 release
String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}
{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem
Miscellaneous

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself.
A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.
Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar").
To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA.
This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.
If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments.
It's strongly advised not to expose any of its endpoints to the public internet.
Furthermore, available security measures should be applied regardless, for a defense in depth approach.
See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #​8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

v1.11.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

  • More efficient connection management in the http.send built-in function
  • More performant loading of large bundles containing multiple Rego files
Immutable Releases

Starting with this release, OPA releases are immutable for increased security.

Runtime, SDK, Tooling
Compiler, Topdown and Rego
Docs, Website, Ecosystem

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner March 24, 2026 01:14
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.07%. Comparing base (24c91d7) to head (8ca8995).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1575   +/-   ##
=======================================
  Coverage   85.07%   85.07%           
=======================================
  Files         105      105           
  Lines       13691    13691           
=======================================
  Hits        11647    11647           
  Misses       1529     1529           
  Partials      515      515

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 24c91d7...8ca8995. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch from 89170df to 72f50bb Compare March 27, 2026 01:12
@renovate renovate bot changed the title chore(deps): update openpolicyagent/opa docker tag to v1.14.1 chore(deps): update openpolicyagent/opa docker tag to v1.15.0 Mar 27, 2026
@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch from 72f50bb to b2b2ad4 Compare March 30, 2026 14:33
@renovate renovate bot changed the title chore(deps): update openpolicyagent/opa docker tag to v1.15.0 chore(deps): update openpolicyagent/opa docker tag to v1.15.1 Mar 30, 2026
@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch 5 times, most recently from ab25cc9 to 008516f Compare April 8, 2026 14:09
@renovate renovate bot changed the title chore(deps): update openpolicyagent/opa docker tag to v1.15.1 chore(deps): update openpolicyagent/opa docker tag to v1.15.2 Apr 8, 2026
@renovate renovate bot changed the title chore(deps): update openpolicyagent/opa docker tag to v1.15.2 Update openpolicyagent/opa Docker tag to v1.15.2 Apr 8, 2026
@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch 10 times, most recently from b88683a to 895eb8e Compare April 10, 2026 16:06
@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch 4 times, most recently from 8c69af9 to 87d707c Compare April 13, 2026 11:56
@renovate
Update openpolicyagent/opa Docker tag to v1.15.2
8ca8995 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/openpolicyagent-opa-1.x branch from 87d707c to 8ca8995 Compare April 13, 2026 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Akshay2191 Akshay2191 Akshay2191 approved these changes

@aphralG aphralG aphralG approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Akshay2191 @aphralG