update regal config file and fix linting

Checkmarx · Nov 8, 2024 · 09ac2a0 · 09ac2a0
1 parent ea4c140
commit 09ac2a0
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 15 deletions.
diff --git a/.github/workflows/validate-rego.yaml b/.github/workflows/validate-rego.yaml
@@ -9,8 +9,6 @@ jobs:
   lint-rego:
     name: Run Regal Linter on Rego Files
     runs-on: ubuntu-latest
-    env:
-      REGO_FILES_PATH: assets
     steps:
       - uses: actions/checkout@v4
         with:
@@ -20,4 +18,4 @@ jobs:
         with:
           version: v0.11.0
       - name: Run Regal Linter
-        run: regal lint --format=github ${{ env.REGO_FILES_PATH }}
+        run: regal lint --format=github assets
diff --git a/assets/.regal/rego_config.yaml → .regal.yaml b/assets/.regal/rego_config.yaml → .regal.yaml
@@ -35,12 +35,6 @@ rules:
     # All of these are optional, but worth considering
     avoid-get-and-list-prefix:
       level: ignore
-    prefer-snake-case:
-      level: ignore
-    line-length:
-      level: warn
-    rule-length:
-      level: warn
     external-reference:
       level: ignore
     file-length:
@@ -52,7 +46,7 @@ rules:
     opa-fmt:
       level: ignore
     prefer-some-in-iteration:
-      level: ignore
+      level: warn
     prefer-snake-case:
       level: ignore
     rule-length:

diff --git a/assets/queries/ansible/aws/efs_without_kms/query.rego b/assets/queries/ansible/aws/efs_without_kms/query.rego
@@ -6,6 +6,8 @@ import data.generic.common as common_lib
 modules := {"community.aws.efs", "efs"}
 
 CxPolicy[result] {
+	some id, t
+	some m in modules
 	task := ansLib.tasks[id][t]
 	efs := task[modules[m]]
 	ansLib.checkState(efs)

diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego
@@ -4,6 +4,7 @@ import data.generic.ansible as ansLib
 import data.generic.common as common_lib
 
 CxPolicy[result] {
+	some id, t, m
 	task := ansLib.tasks[id][t]
 	modules := {"community.aws.cloudfront_distribution", "cloudfront_distribution"}
 	cloudfront := task[modules[m]]
@@ -24,6 +25,7 @@ CxPolicy[result] {
 }
 
 CxPolicy[result] {
+	some id, t, m, a
 	task := ansLib.tasks[id][t]
 	modules := {"community.aws.cloudfront_distribution", "cloudfront_distribution"}
 	cloudfront := task[modules[m]]

diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego
@@ -30,7 +30,9 @@ is_privileged_port(port) {
 	both_ports := split(port, ":")
 	host_port := both_ports[0]
 	to_number(host_port) < 1024
-} else { #COVERS "CONTAINER" port from short syntax "HOST:CONTAINER"
+} #COVERS "CONTAINER" port from short syntax "HOST:CONTAINER"
+
+else {
 	both_ports := split(port, ":")
 	container_port := both_ports[1]
 	to_number(container_port) < 1024

diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego
@@ -1,6 +1,7 @@
 package Cx
 
 CxPolicy[result] {
+	some i, name
 	resource := input.document[i].command[name][_]
 	resource.Cmd == "maintainer"
 

diff --git a/assets/queries/k8s/role_binding_to_default_service_account/query.rego b/assets/queries/k8s/role_binding_to_default_service_account/query.rego
@@ -1,9 +1,12 @@
 package Cx
 
+import future.keywords.in
+
 CxPolicy[result] {
-	document := input.document[i]
+	some i, c
+	some document in input.document
 	document.kind == "RoleBinding"
-	subjects := document.subjects
+	some subjects in document.subjects
 	subjects[c].kind == "ServiceAccount"
 	subjects[c].name == "default"
 

diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
@@ -3,11 +3,12 @@ package Cx
 import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
+	some i, resourceType, name, key
 	resource := input.document[i].resource[resourceType]
 
 	labels := resource[name].metadata.labels
 
-	regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false
+	regex.match(`^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`, labels[key]) == false
 
 	result := {
 		"documentId": input.document[i].id,
@@ -18,4 +19,4 @@ CxPolicy[result] {
 		"keyExpectedValue": sprintf("%s[%s].metada.labels[%s] has valid label", [resourceType, name, key]),
 		"keyActualValue": sprintf("%s[%s].metada.labels[%s] has invalid label", [resourceType, name, key]),
 	}
-}
+}
diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego
@@ -4,6 +4,7 @@ import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
+	some i, name
 	resource := input.document[i].resource.tencentcloud_mysql_instance[name]
 	resource.internet_service == 1