Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: init Rego linting #313

Merged
merged 1 commit into from
Jan 14, 2025
Merged

ci: init Rego linting #313

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/test-rego.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,14 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Regal
uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 # v1
with:
version: 0.29

- name: Lint Rego
run: make lint-rego

- uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
Expand Down
16 changes: 16 additions & 0 deletions .regal/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
rules:
default:
level: ignore
custom:
naming-convention:
level: error
conventions:
- pattern: '^builtin|lib|defsec|appshield'
targets:
- package
naming:
deny-rule:
level: error
ignore:
files:
- "*_test.rego"
19 changes: 19 additions & 0 deletions .regal/rules/custom/regal/rules/naming/deny-rule/deny_rule.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# METADATA
# description: Ensures that no rules in the check are named with the prefix 'deny_'
# related_resources:
# - description: documentation
# ref: https://github.com/aquasecurity/trivy-checks/pull/283
# schemas:
# - input: schema.regal.ast
package custom.regal.rules.naming["deny-rule"]

import rego.v1

import data.regal.ast
import data.regal.result

report contains violation if {
some rule in input.rules
startswith(ast.ref_to_string(rule.head.ref), "deny_")
violation := result.fail(rego.metadata.chain(), result.location(rule))
}
35 changes: 35 additions & 0 deletions .regal/rules/custom/regal/rules/naming/deny-rule/deny_rule_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package custom.regal.rules.naming["deny-rule_test"]

import rego.v1

import data.custom.regal.rules.naming["deny-rule"] as rule

test_rule_named_startswith_not_allowed if {
module := regal.parse_module("example.rego", `
package policy

deny_foo := true`)

r := rule.report with input as module

r == {{
"category": "naming",
"description": "Ensures that no rules in the check are named with the prefix 'deny_'",
"related_resources": [{
"description": "documentation",
"ref": "https://github.com/aquasecurity/trivy-checks/pull/283",
}],
"level": "error",
"location": {
"file": "example.rego",
"row": 4,
"col": 2,
"end": {
"row": 4,
"col": 18,
},
"text": "\tdeny_foo := true",
},
"title": "deny-rule",
}}
}
10 changes: 9 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,20 @@ rego: fmt-rego test-rego

.PHONY: fmt-rego
fmt-rego:
opa fmt -w lib/ checks/ examples/
opa fmt -w lib/ checks/ examples/ .regal/rules

.PHONY: test-rego
test-rego:
go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml'

.PHONY: lint-rego
lint-rego:
@regal test .regal/rules
@regal lint lib checks \
--config-file .regal/config.yaml \
--enable deny-rule,naming-convention \
--timeout 5m

.PHONY: bundle
bundle: create-bundle verify-bundle

Expand Down
Loading