ReATest: enhancing policy-as-code workflows through automated test case generation from Rego policies

Policy-as-code (PaC ) has emerged as a key practice in development, security, and operations, enabling organizations to specify, manage, and enforce access control policies as part of the software delivery pipeline. At the core of PaC, Rego, the policy language of the Open Policy Agent, has been widely adopted to implement fine-grained and flexible authorization rules acrosscloud-native and microservice-based environments. However, testing Regopolicies remains a major challenge, as current practices rely heavily on manual or ad-hoc test case design, often leading to insufficient coverage and latentsecurity risks. This article introduces ReATest, an automated approach to enhancing PaC workflows through systematic test case generation from Rego specifications. ReATest defines a specialized Rego Flow Graph that capturesthe semantics of Rego rules, conditions, and policy decisions. It then systematically explores execution paths to ensure comprehensive coverage. To optimize the generated test suite, the Grey Wolf Optimization algorithm isemployed, reducing redundancy while maximizing coverage. The approachhas been evaluated on realistic Rego policies from open-source repositoriesand industrial case studies. Experimental results show that ReATest achievedan average 35.43% reduction in test suite size while maintaining 64.57% transition coverage; overall, this corresponds to 69.77% fewer tests compared tothe published baselines. This improvement enhances the reliability and efficiency of PaC workflows in real-world applications.