Claude Code + Regula Policy Validation (2026)
Claude Code for Regula Policy Workflow Guide
Infrastructure policy enforcement has evolved from manual reviews to automated checks, and Regula stands at the forefront of this transformation. By combining Regula’s policy-as-code capabilities with Claude Code’s intelligent assistance, you can build solid workflows that catch security misconfigurations before they reach production. This guide walks you through integrating Claude Code with Regula to create an efficient policy validation pipeline.
Understanding Regula and Policy Workflows
Regula is an open-source policy engine that evaluates infrastructure code against security and compliance rules. It supports multiple input formats including Terraform plans, CloudFormation templates, and Kubernetes manifests. When integrated with Claude Code, you gain an AI-powered partner that can interpret policy failures, suggest fixes, and even generate compliant configurations.
The typical policy workflow involves three stages: development where you write infrastructure code, validation where Regula checks against policies, and remediation where you fix any violations. Claude Code enhances each stage by providing contextual guidance and automating repetitive tasks.
Regula is built on Open Policy Agent (OPA) under the hood, which means its policies are written in Rego. a declarative query language. This gives it enormous flexibility. You can use the built-in rule library covering hundreds of CIS, PCI-DSS, SOC2, and HIPAA controls, or write your own Rego policies from scratch. Claude Code bridges the gap between reading Regula output and understanding what to actually change in your infrastructure code.
How Regula Compares to Alternatives
Before committing to a toolchain, it helps to understand where Regula fits relative to other popular policy engines:
| Tool | Input Formats | Policy Language | Built-in Rules | CI/CD Integration |
|---|---|---|---|---|
| Regula | Terraform, CloudFormation, Kubernetes, ARM | Rego (OPA) | 400+ | Native JSON/JUnit output |
| Checkov | Terraform, CloudFormation, Kubernetes, Dockerfile | Python / YAML | 1000+ | SARIF, JUnit |
| tfsec | Terraform only | YAML / Rego | 400+ | SARIF |
| OPA Conftest | Any structured format | Rego | None (bring your own) | Flexible |
| Sentinel | Terraform (HashiCorp stack) | Sentinel DSL | Limited | Terraform Cloud only |
Regula’s advantage is its tight Terraform plan integration and native OPA compatibility. If your team already uses OPA for other policy decisions, Regula is a natural fit. Claude Code works well with any of these tools, but the JSON output format from Regula is particularly clean for automated parsing and remediation suggestions.
Setting Up Your Environment
Before building workflows, ensure both Regula and Claude Code are installed and accessible. Regula runs as a container or binary, while Claude Code operates through its CLI interface. You’ll want to verify both are in your PATH and configured for your infrastructure directory.
Installing Regula
macOS via Homebrew
brew install regula
Linux binary install
curl -sLo regula https://github.com/fugue/regula/releases/latest/download/regula_linux_amd64
chmod +x regula
sudo mv regula /usr/local/bin/
Docker (no install required)
docker pull fugue/regula:latest
For Terraform workflows, initialize your project structure with a dedicated policies folder:
mkdir -p policies_tf policies_cf && \
regula init --output-format json
This creates the foundation for policy definitions and enables Regula to scan your infrastructure code. Claude Code can then reference these policies when assisting with remediation.
Verifying the Setup
Run a quick sanity check before building any integrations:
Check Regula version
regula version
Run against a Terraform directory
regula run ./terraform --format json | head -50
Run against a CloudFormation template
regula run ./cloudformation/template.yaml --format json
If Regula returns JSON output, you’re ready to wire it into Claude Code workflows. A typical healthy run with no violations returns an empty results array; any violations populate with rule IDs, severities, and resource paths.
Project Directory Structure
A clean project layout makes the integration easier to maintain:
infrastructure/
terraform/
main.tf
variables.tf
outputs.tf
cloudformation/
template.yaml
policies/
custom/
naming-conventions.rego
tagging-requirements.rego
exceptions/
exceptions.json
.claude/
skills/
regula-policy-assistant.md
CONTEXT.md
Placing the Claude Code skill definition inside .claude/skills/ makes it automatically discoverable within that project.
Building the Policy Validation Skill
A Claude Code skill for Regula policy validation should capture the essential commands and interpretation logic. Here’s a practical skill structure for policy workflows:
---
name: regula-policy-assistant
description: Assists with Regula policy validation and remediation
---
Regula Policy Assistant
You help validate infrastructure code using Regula and interpret policy failures.
Available Commands
Run policy checks with: `regula run <target> --format json`
Policy Categories
- CIS: Center for Internet Security benchmarks
- SOC2: Service Organization Control compliance
- PCI-DSS: Payment Card Industry standards
- Custom: Organization-specific policies
This skill provides the foundation for Claude to understand Regula’s output format and respond appropriately to policy violations.
Expanding the Skill with Remediation Context
A more complete skill definition includes remediation patterns for common violations:
---
name: regula-policy-assistant
description: Validates infrastructure code and suggests fixes for Regula violations
---
Regula Policy Assistant
Workflow
1. Run `regula run <target> --format json > results.json`
2. Parse the JSON to identify HIGH and CRITICAL violations first
3. For each violation, identify the resource in the Terraform or CloudFormation file
4. Apply the appropriate fix pattern from the remediation library below
Severity Priority Order
Handle violations in this order: CRITICAL > HIGH > MEDIUM > LOW
Common Fix Patterns
S3 Buckets
- Versioning disabled → add `versioning { enabled = true }`
- Public access not blocked → add `aws_s3_bucket_public_access_block` resource
- Encryption missing → add `server_side_encryption_configuration` block
EC2 Instances
- IMDSv2 not enforced → add `metadata_options { http_tokens = "required" }`
- Security group too permissive → restrict `cidr_blocks` from `0.0.0.0/0`
IAM
- Wildcard actions → replace `"*"` with specific action list
- No MFA required → add MFA condition to assume role policy
Output Format
When reporting fixes, always include:
- Rule ID that was violated
- Resource name and type
- The exact HCL or YAML change required
- Whether the fix is a modification or a new resource
With this richer skill definition, Claude Code can walk through a full results file and produce a prioritized remediation plan rather than just explaining individual failures.
Interpreting Policy Results
When Regula identifies violations, it returns structured JSON output that Claude Code can parse and explain. The output includes severity levels, rule IDs, and resource identifiers. Understanding this structure helps you build more effective remediation workflows.
Consider a typical Regula output for an S3 bucket configuration:
{
"rule_id": "FUNC_S3_BUCKET_VERSIONING_V1",
"severity": "HIGH",
"resource": "aws_s3_bucket.example",
"message": "S3 bucket versioning should be enabled"
}
Claude Code can consume this output and provide actionable remediation steps. The key is creating a skill that understands both the policy rules and the recommended fixes for each violation type.
Full Results Structure
A real Regula results file for a multi-resource Terraform directory looks like this:
{
"summary": {
"filepaths": ["main.tf", "storage.tf"],
"rule_results": {
"FAIL": 4,
"PASS": 31,
"WAIVED": 0
},
"severities": {
"CRITICAL": 1,
"HIGH": 2,
"MEDIUM": 1,
"LOW": 0,
"UNKNOWN": 0
}
},
"rule_results": [
{
"controls": ["CIS-AWS_v1.4.0_2.1.2"],
"filepath": "storage.tf",
"input_type": "tf",
"provider": "aws",
"resource_id": "aws_s3_bucket.app_data",
"resource_type": "aws_s3_bucket",
"rule_description": "S3 bucket versioning should be enabled to preserve object versions.",
"rule_id": "FG_R00257",
"rule_name": "tf_aws_s3_bucket_versioning",
"rule_result": "FAIL",
"rule_severity": "HIGH",
"rule_summary": "S3 bucket versioning should be enabled"
}
]
}
When you pass this to Claude Code with the regula-policy-assistant skill active, it can extract the resource_id and filepath, locate that resource in your Terraform files, and produce a targeted diff showing exactly what to change.
Asking Claude to Parse Results
A practical prompt pattern for parsing Regula output:
Using the regula-policy-assistant skill, I just ran:
regula run ./terraform --format json > regula-results.json
Here are the FAIL results: [paste JSON here]
For each FAIL, identify the file and resource, then show me the corrected HCL.
Prioritize CRITICAL and HIGH severity first.
Claude Code will then produce a numbered remediation list with before/after code blocks for each violation.
Creating Automated Fix Suggestions
One of the most valuable integrations involves having Claude Code suggest fixes based on Regula’s findings. You can build this capability by creating a mapping between common rule IDs and their remediation patterns.
For S3 versioning violations, the fix involves adding a versioning configuration block:
resource "aws_s3_bucket" "example" {
bucket = "my-secure-bucket"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
Claude Code can generate these corrections automatically by recognizing the rule ID and understanding the target resource type. This automation significantly reduces the time needed to address policy violations.
Before and After: Common Terraform Fixes
Here are three additional before/after patterns that Claude Code should understand when working through Regula results:
EC2 IMDSv2 Enforcement
Before (FAIL. FG_R00100):
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
}
After (PASS):
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
metadata_options {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 1
}
}
S3 Public Access Block
Before (FAIL. FG_R00229):
resource "aws_s3_bucket" "assets" {
bucket = "my-app-assets"
}
After (PASS):
resource "aws_s3_bucket" "assets" {
bucket = "my-app-assets"
}
resource "aws_s3_bucket_public_access_block" "assets" {
bucket = aws_s3_bucket.assets.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
RDS Deletion Protection
Before (FAIL. FG_R00280):
resource "aws_db_instance" "main" {
engine = "postgres"
instance_class = "db.t3.micro"
username = "admin"
password = var.db_password
}
After (PASS):
resource "aws_db_instance" "main" {
engine = "postgres"
instance_class = "db.t3.micro"
username = "admin"
password = var.db_password
deletion_protection = true
backup_retention_period = 7
storage_encrypted = true
}
These patterns can be embedded directly in your Claude Code skill definition so Claude applies them consistently without needing to reason from first principles each time.
Building Multi-Stage Validation Pipelines
Production workflows typically involve multiple validation stages. You can orchestrate these stages using Claude Code skills that coordinate between different tools and checks.
A typical pipeline might include:
- Pre-commit validation that runs Regula before code commits
- Pull request checks that enforce policy compliance
- Deployment gates that verify infrastructure changes
- Continuous monitoring that detects configuration drift
Claude Code can manage this pipeline by invoking Regula at each stage and interpreting the results. You define the rules, and Claude ensures consistent enforcement.
Pre-Commit Hook Integration
Add Regula checks directly to Git pre-commit hooks so violations are caught before code even leaves a developer’s machine:
#!/bin/bash
.git/hooks/pre-commit
echo "Running Regula policy checks..."
RESULT=$(regula run ./terraform --format json 2>&1)
FAIL_COUNT=$(echo "$RESULT" | python3 -c "import sys, json; d=json.load(sys.stdin); print(d['summary']['rule_results'].get('FAIL', 0))")
if [ "$FAIL_COUNT" -gt "0" ]; then
echo "Regula found $FAIL_COUNT policy violations. Commit blocked."
echo ""
echo "Run: regula run ./terraform --format json | jq '.rule_results[] | select(.rule_result==\"FAIL\")'"
echo "Then ask Claude Code to fix them using the regula-policy-assistant skill."
exit 1
fi
echo "All policy checks passed."
exit 0
GitHub Actions CI/CD Pipeline
name: Infrastructure Policy Validation
on:
pull_request:
paths:
- 'terraform/'
- 'cloudformation/'
jobs:
regula-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Regula
run: |
curl -sLo regula.tar.gz https://github.com/fugue/regula/releases/latest/download/regula_linux_amd64.tar.gz
tar -xzf regula.tar.gz
sudo mv regula /usr/local/bin/
- name: Run Regula
run: |
regula run ./terraform --format junit > regula-results.xml
regula run ./terraform --format json > regula-results.json
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@v2
if: always()
with:
files: regula-results.xml
- name: Fail on Critical or High Violations
run: |
CRITICAL=$(jq '[.rule_results[] | select(.rule_result=="FAIL" and .rule_severity=="CRITICAL")] | length' regula-results.json)
HIGH=$(jq '[.rule_results[] | select(.rule_result=="FAIL" and .rule_severity=="HIGH")] | length' regula-results.json)
if [ "$CRITICAL" -gt "0" ] || [ "$HIGH" -gt "0" ]; then
echo "Found $CRITICAL CRITICAL and $HIGH HIGH violations. Pipeline blocked."
exit 1
fi
This pipeline blocks merges on CRITICAL and HIGH violations while still surfacing MEDIUM and LOW findings as informational. Claude Code can then be invoked in the remediation step with the results JSON to produce fix suggestions.
Handling Custom Policies
Beyond Regula’s built-in rules, you can create custom policies tailored to your organization’s requirements. These policies use Rego to define conditions that infrastructure must satisfy.
A custom policy might enforce naming conventions:
name: s3-bucket-naming-convention
description: S3 buckets must follow naming standards
Claude Code can assist in writing these custom policies by suggesting appropriate conditions based on the resources you’re validating. This capability makes Regula adaptable to any compliance framework.
Writing a Complete Custom Rego Policy
Here is a full example of a custom Rego policy that enforces mandatory resource tagging:
policies/custom/required-tags.rego
package rules.required_tags
import data.fugue
__rego__metadoc__ := {
"id": "CUSTOM_TAGS_001",
"title": "Required tags must be present on all AWS resources",
"description": "All AWS resources must have Environment, Owner, and CostCenter tags.",
"custom": {
"controls": {
"INTERNAL": ["TAGGING-001"]
},
"severity": "HIGH"
}
}
resource_type := "MULTIPLE"
required_tags := {"Environment", "Owner", "CostCenter"}
Resources that must have tags
taggable_resources := fugue.resources("aws_instance") |
fugue.resources("aws_s3_bucket") |
fugue.resources("aws_rds_instance") |
fugue.resources("aws_lambda_function")
policy[j] {
resource := taggable_resources[_]
resource_tags := {tag | resource.tags[tag]}
missing := required_tags - resource_tags
count(missing) == 0
j := fugue.allow_resource(resource)
}
policy[j] {
resource := taggable_resources[_]
resource_tags := {tag | resource.tags[tag]}
missing := required_tags - resource_tags
count(missing) > 0
msg := sprintf("Resource %v is missing required tags: %v", [resource.id, missing])
j := fugue.deny_resource_with_message(resource, msg)
}
To activate this custom policy when running Regula:
regula run ./terraform \
--include policies/custom/ \
--format json
Claude Code can help you write these policies by describing what you need in plain English:
Using the regula-policy-assistant skill, write a Rego policy that:
- Applies to all aws_security_group resources
- Fails if any ingress rule allows port 22 from 0.0.0.0/0
- Severity: CRITICAL
- Include the __rego__metadoc__ block
Custom Policy Development Workflow
| Step | Action | Claude Code Role |
|---|---|---|
| 1 | Describe the compliance requirement in plain English | Translates to Rego policy skeleton |
| 2 | Draft the Rego policy | Reviews and suggests improvements |
| 3 | Test against sample Terraform | Runs regula and interprets output |
| 4 | Refine edge cases | Identifies resources the policy misses |
| 5 | Add to CI/CD pipeline | Generates the --include flag configuration |
Best Practices for Integration
When integrating Claude Code with Regula, consider these practical recommendations:
Categorize policies by severity to prioritize remediation efforts. High and critical findings should block deployment, while low-severity issues can be tracked for later resolution. Build this logic into your CI/CD scripts so the blocking threshold is explicit and version-controlled.
Maintain a policy library that documents each rule’s purpose and remediation steps. Claude Code can reference this documentation when explaining violations to team members. Store the library as Markdown files in your repository so it stays in sync with your policies:
policies/
custom/
required-tags.rego
naming-conventions.rego
docs/
CUSTOM_TAGS_001.md ← human-readable explanation + fix guide
NAMING_001.md
exceptions/
exceptions.json
Integrate with your version control workflow by adding Regula checks to pre-commit hooks and CI/CD pipelines. Claude Code can then provide immediate feedback on policy compliance.
Manage exceptions carefully. Regula supports waivers for resources that legitimately need to bypass a rule. Store exceptions in a structured file and require documented justification:
{
"waivers": [
{
"rule_id": "FG_R00229",
"resource_id": "aws_s3_bucket.public_website",
"reason": "This bucket intentionally serves static website content. Public access required.",
"expires": "2026-12-31",
"approved_by": "security-team"
}
]
}
Claude Code can audit this exceptions file periodically and flag entries that have expired or lack justification.
Establish a feedback loop where remediation actions inform policy refinement. As your infrastructure evolves, your policies should adapt accordingly. Schedule quarterly reviews where Claude Code summarizes which rules are triggering most frequently. those patterns often indicate that a policy is too strict, or that a default Terraform module needs to be updated to include a compliant baseline.
Remediation Velocity Tracking
Track how quickly your team resolves violations to identify bottlenecks:
| Metric | Target | How to Measure |
|---|---|---|
| Mean time to remediate CRITICAL | < 4 hours | Timestamp first FAIL to first PASS in CI logs |
| Mean time to remediate HIGH | < 24 hours | Same method |
| Policy bypass rate | < 5% of resources | Count waivers / total resources |
| Recurrence rate | < 10% | Track rule IDs that re-appear after being fixed |
Claude Code can generate these metrics from your CI/CD logs if you ask it to parse the historical Regula output stored as build artifacts.
Conclusion
Combining Claude Code with Regula creates a powerful policy-as-code workflow that automates security validation while maintaining developer productivity. By understanding Regula’s output structure and building appropriate Claude Code skills, you can create systems that not only detect policy violations but actively guide remediation efforts.
The integration transforms policy compliance from a gatekeeping exercise into a collaborative process where AI assistance helps teams build secure infrastructure from the start. Whether you are enforcing CIS benchmarks for an AWS environment, writing custom tagging policies for cost attribution, or building multi-stage pipelines that block unsafe deployments, Claude Code reduces the cognitive overhead of interpreting policy output and translating it into concrete changes.
Start with the skill definition, run your first regula run against a real Terraform directory, and let Claude Code walk you through the results. The initial setup takes less than an hour, and the workflow compounds in value as your policy library grows.
Try it: Estimate your monthly spend with our Cost Calculator.
Related Reading
- Claude Code for OPA Rego Workflow Tutorial Guide
- Claude Code Kubernetes Upgrade Workflow Guide
- Claude Code Terraform Module Development Guide
- Claude Code for Pulumi Policy Pack Workflow Guide
Built by theluckystrike. More at zovo.one
Get started → Generate your project setup with our Project Starter.