The port was open, but the policy said no.

When network scans reveal exposed services, the gap between detection and enforcement is where risk grows. Nmap finds the ports. Open Policy Agent (OPA) enforces the rules. Together, they close that gap before it becomes a breach.

Nmap is the industry standard for scanning IP ranges, identifying services, and mapping attack surfaces. Skilled security teams use it to audit networks, validate segmentation, and catch drift from intended configurations. But Nmap alone only observes. It does not decide.

Open Policy Agent is a general-purpose policy engine. Written in Rego, its rules define what is allowed or denied across infrastructure, APIs, and microservices. OPA evaluates input against policy and returns a decision. It integrates with Kubernetes, CI/CD, and service meshes. It treats policy as code — tested, versioned, and deployed like software.

By integrating Nmap with OPA, you can automate security posture enforcement. Scan results feed into OPA as structured data. Policies assert which ports, protocols, or hosts are permitted. Ports outside policy trigger alerts, quarantines, or orchestration-level changes. This moves from “scan and review” to “scan, decide, act.”

A practical setup:

1. Run Nmap with output in XML or JSON.
2. Parse results into a format OPA understands.
3. Write Rego rules defining approved service maps.
4. Use OPA’s REST API or bundled mode to evaluate scan data.
5. Integrate decisions into CI/CD pipelines, container hooks, or cloud automation.

This approach eliminates reliance on manual review cycles. It creates a continuous check that runs in minutes. Infrastructure changes are verified against your security model every time they are deployed.

When scanning and policy are tied together, detection velocity matches enforcement velocity. That is the difference between finding a problem and fixing it before it matters.

See how to run this workflow live in minutes at hoop.dev.