diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml
index 8b00d0b74b..9488b13e13 100644
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -123,6 +123,10 @@ jobs:
       - name: Install system dependencies
         run: |
           sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
+      - name: Install open-policy-agent
+        run: |
+          cd "${GOPATH}/src/github.com/${{ github.repository }}"
+          ./tests/install_opa.sh
       - name: Run check
         run: |
           export PATH="${PATH}:${GOPATH}/bin"
diff --git a/tests/install_opa.sh b/tests/install_opa.sh
new file mode 100755
index 0000000000..9684789e1d
--- /dev/null
+++ b/tests/install_opa.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -eou pipefail
+
+[[ -n "${DEBUG:-}" ]] && set -o xtrace
+
+test_dir=$(realpath "$(dirname "${BASH_SOURCE[0]}")")
+source "${test_dir}/common.bash"
+
+install_opa()
+{
+    local url
+    local version
+    url=$(get_test_version "externals.opa.url")
+    version=$(get_test_version "externals.opa.version")
+
+    if opa version 2>/dev/null | grep -q "${version}"; then
+        info "OPA version ${version} is already installed"
+        return 0
+    fi
+    info "Installing OPA version ${version} from ${url}"
+
+    curl -fsSL "${url}/releases/download/${version}/opa_linux_amd64_static" \
+        -o "/usr/local/bin/opa" \
+        || die "Failed to download OPA binary"
+
+    chmod +x "/usr/local/bin/opa" \
+        || die "Failed to make OPA binary executable"
+
+    command -v opa &>/dev/null \
+        || die "OPA binary not found in PATH after installation"
+
+    info "Successfully installed OPA version ${version}"
+}
+
+install_opa
diff --git a/versions.yaml b/versions.yaml
index 304de7c66a..0fe37e2112 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -347,6 +347,11 @@ externals:
     url: "https://github.com/containerd/nydus-snapshotter"
     version: "v0.13.14"
 
+  opa:
+    description: "Open Policy Agent"
+    url: "https://github.com/open-policy-agent/opa"
+    version: "v1.5.1"
+
   ovmf:
     description: "Firmware, implementation of UEFI for virtual machines."
     url: "https://github.com/tianocore/edk2"