Checkmarx · ArturRibeiro-CX · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024 · Nov 8, 2024
@@ -0,0 +1,21 @@
+name: validate-rego
+
+on:
+  pull_request:
+    paths:
+      - "assets/**/*.rego"
+
+jobs:
+  lint-rego:
+    name: Run Regal Linter on Rego Files
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Regal
+        uses: StyraInc/[email protected]
+        with:
+          version: v0.11.0
+      - name: Run Regal Linter
+        run: regal lint --format=github assets --config-file=assets/.regal/config.yml
@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.23.1-r0@sha256:61d8f083c9781614cad318dc8a0b35fb2b9c7f88226829f4a5bdc00117c47cc2 AS build_env
+FROM checkmarx/go:1.23.3-r1@sha256:aab4acc0cb9d689cbc17c5dbdaa58a993779d82e6f9061962b6722270d518f6f AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git@sha256:a4253a0291cec1dab3c4e85ccfd0c49d8c6d4a52e34c9159a59cb6a5fc7b4432
+FROM checkmarx/git@sha256:125b4c8f86e647f00e2a26e2a38da10528e325aea3af9306ac3d125d441e92c7
 
 ENV TERM xterm-256color
 

@@ -0,0 +1,66 @@
+rules:
+  bugs:
+    not-equals-in-loop:
+      # https://docs.styra.com/regal/rules/bugs/not-equals-in-loop
+      level: ignore
+    rule-shadows-builtin:
+      # https://docs.styra.com/regal/rules/bugs/rule-shadows-builtin
+      level: warn
+  idiomatic:
+    no-defined-entrypoint:
+      # https://docs.styra.com/regal/rules/idiomatic/no-defined-entrypoint
+      # No single entrypoint for this project
+      level: ignore
+    # temporary
+    non-raw-regex-pattern:
+      # https://docs.styra.com/regal/rules/idiomatic/non-raw-regex-pattern 
+      level: warn
+    use-in-operator:
+      # https://docs.styra.com/regal/rules/idiomatic/use-in-operator
+      level: warn
+    use-some-for-output-vars:
+      # https://docs.styra.com/regal/rules/idiomatic/use-some-for-output-vars
+      # These would be good to address, but would require a concentrated effort
+      level: ignore
+    custom-has-key-construct:
+      # https://docs.styra.com/regal/rules/idiomatic/custom-has-key-construct
+      level: warn
+    equals-pattern-matching:
+      # https://docs.styra.com/regal/rules/idiomatic/equals-pattern-matching
+      level: warn
+  style:
+    avoid-get-and-list-prefix:
+      # https://docs.styra.com/regal/rules/style/avoid-get-and-list-prefix
+      level: ignore
+    external-reference:
+      # https://docs.styra.com/regal/rules/style/external-reference
+      level: ignore
+    file-length:
+      # https://docs.styra.com/regal/rules/style/file-length
+      level: ignore
+    line-length:
+      # https://docs.styra.com/regal/rules/style/line-length
+      level: ignore
+    no-whitespace-comment:
+      # https://docs.styra.com/regal/rules/style/no-whitespace-comment
+      level: warn
+    opa-fmt:
+      # https://docs.styra.com/regal/rules/style/opa-fmt
+      level: warn
+    prefer-some-in-iteration:
+      # https://docs.styra.com/regal/rules/style/prefer-some-in-iteration
+      # 10000+ violations fixed but way more to go
+      level: ignore
+    prefer-snake-case:
+      # https://docs.styra.com/regal/rules/style/prefer-snake-case
+      level: ignore
+    rule-length:
+      # https://docs.styra.com/regal/rules/style/rule-length
+      level: ignore
+    todo-comment:
+      # https://docs.styra.com/regal/rules/style/todo-comment
+      # only one TODO comment in the codebase to fix this issue
+      level: ignore
+    use-assignment-operator:
+      # https://docs.styra.com/regal/rules/style/use-assignment-operator
+      level: ignore
@@ -1,11 +1,13 @@
 package generic.ansible
 
+import future.keywords.in
+
 # Global variable with all tasks in input
 tasks := TasksPerDocument
 
 # Builds an object that stores all tasks for each document id
 TasksPerDocument[id] = result {
-	document := input.document[i]
+	some document in input.document
 	id := document.id
 	result := getTasks(document)
 }
@@ -33,14 +35,12 @@ getTasksFromBlocks(playbook) = result {
 		not task.block
 		validPath(path)
 	]
-} else = [playbook] {
-	true
-}
+} else = [playbook]
 
 # Validates the path of a nested element inside a block task to assure it's a task
 validPath(path) {
 	count(path) > 1
-	validGroup(path[minus(count(path), 2)])
+	validGroup(path[count(path) - 2])
 }
 
 # Identifies a block task
@@ -96,9 +96,7 @@ allowsPort(allowed, port) {
 	high >= portNumber
 } else {
 	allowed.ports[_] == port
-} else = false {
-	true
-}
+} else = false
 
 # Checks if a given port is included in a network rule
 isPortInRule(rule, portNumber) {
@@ -112,7 +110,7 @@ isPortInRule(rule, portNumber) {
 }
 
 isPortInRule(rule, portNumber) {
-	rule.ports[_] == portNumber
+	portNumber in rule.ports
 }
 
 isPortInRule(rule, portNumber) {
@@ -149,11 +147,11 @@ isEntireNetwork(cidr) {
 }
 
 installer_modules := [
-	"community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install", 
-	"community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg", 
-	"ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5", 
-	"community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery", 
-	"community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler", 
-	"dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil", 
+	"community.general.apk", "ansible.builtin.apt", "ansible.builtin.apt", "community.general.bundler", "ansible.builtin.dnf", "community.general.easy_install",
+	"community.general.gem", "community.general.homebrew", "community.general.jenkins_plugin", "community.general.npm", "community.general.openbsd_pkg",
+	"ansible.builtin.package", "ansible.builtin.package", "community.general.pear", "community.general.pacman", "ansible.builtin.pip", "community.general.pkg5",
+	"community.general.pkgutil", "community.general.pkgutil", "community.general.portage", "community.general.slackpkg", "community.general.sorcery",
+	"community.general.swdepot", "win_chocolatey", "community.general.yarn", "ansible.builtin.yum", "community.general.zypper", "apk", "apt", "bower", "bundler",
+	"dnf", "easy_install", "gem", "homebrew", "jenkins_plugin", "npm", "openbsd_package", "openbsd_pkg", "package", "pacman", "pear", "pip", "pkg5", "pkgutil",
 	"portage", "slackpkg", "sorcery", "swdepot", "win_chocolatey", "yarn", "yum", "zypper",
-]
+]
@@ -2,20 +2,20 @@ package generic.azureresourcemanager
 
 # gets the network security group properties for two types of resource ('Microsoft.Network/networkSecurityGroups' and 'Microsoft.Network/networkSecurityGroups/securityRules')
 get_sg_info(value) = typeInfo {
-    value.type == "Microsoft.Network/networkSecurityGroups/securityRules"
+	value.type == "Microsoft.Network/networkSecurityGroups/securityRules"
 	typeInfo := {
-		"type": value.type, 
-		"properties": value.properties, 
+		"type": value.type,
+		"properties": value.properties,
 		"path": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties",
-		"sl": ["properties"]
-   }   
+		"sl": ["properties"],
+	}
 } else = typeInfo {
 	value.type == "securityRules"
 	typeInfo := {
-		"type": value.type, 
-		"properties": value.properties, 
+		"type": value.type,
+		"properties": value.properties,
 		"path": "resources.type={{securityRules}}.properties",
-		"sl": ["properties"]
+		"sl": ["properties"],
 	}
 }
 
@@ -58,14 +58,12 @@ get_children(doc, parent, path) = childArr {
 	childArr := array.concat(resourceArr, outerArr)
 }
 
-get_outer_children(doc, nameParent) = outerArr {
-	outerArr := [x |
-		[path, value] := walk(doc)
-		startswith(value.name, nameParent)
-		value.name != nameParent
-		x := {"value": value, "path": path}
-	]
-}
+get_outer_children(doc, nameParent) := [x |
+	[path, value] := walk(doc)
+	startswith(value.name, nameParent)
+	value.name != nameParent
+	x := {"value": value, "path": path}
+]
 
 getDefaultValueFromParametersIfPresent(doc, valueToCheck) = [value, propertyType] {
 	parameterName := isParameterReference(valueToCheck)
@@ -84,11 +82,10 @@ isParameterReference(valueToCheck) = parameterName {
 	parameterName := trim_right(trim_left(trim_left(valueToCheck, "[parameters"), "('"), "')]")
 }
 
-
-isDisabledOrUndefined(doc, resource, parametersPath){
+isDisabledOrUndefined(doc, resource, parametersPath) {
 	object.get(resource, split(parametersPath, "."), "not defined") == "not defined"
 } else {
-	value := object.get(resource, split(parametersPath, "."),"")
+	value := object.get(resource, split(parametersPath, "."), "")
 	[check, _] := getDefaultValueFromParametersIfPresent(doc, value)
 	check == false
 }
@@ -1,2 +1 @@
 package generic.cicd
-
@@ -63,9 +63,10 @@ udpPortsMap = {
 }
 
 # Get content of the resource(s) based on the type
-getResourcesByType(resources, type) = list {
-	list = [resource | resources[i].Type == type; resource := resources[i]]
-}
+getResourcesByType(resources, type) = [resource |
+	resources[i].Type == type
+	resource := resources[i]
+]
 
 getBucketName(resource) = name {
 	name := resource.Properties.Bucket