diff --git a/.github/workflows/validate-rego.yaml b/.github/workflows/validate-rego.yaml index 667be29e310..96e459ad176 100644 --- a/.github/workflows/validate-rego.yaml +++ b/.github/workflows/validate-rego.yaml @@ -9,8 +9,6 @@ jobs: lint-rego: name: Run Regal Linter on Rego Files runs-on: ubuntu-latest - env: - REGO_FILES_PATH: assets steps: - uses: actions/checkout@v4 with: @@ -20,4 +18,4 @@ jobs: with: version: v0.11.0 - name: Run Regal Linter - run: regal lint --format=github ${{ env.REGO_FILES_PATH }} + run: regal lint --format=github assets diff --git a/assets/.regal/rego_config.yaml b/.regal.yaml similarity index 94% rename from assets/.regal/rego_config.yaml rename to .regal.yaml index 4ce5368c8aa..8adacdfe54a 100644 --- a/assets/.regal/rego_config.yaml +++ b/.regal.yaml @@ -35,12 +35,6 @@ rules: # All of these are optional, but worth considering avoid-get-and-list-prefix: level: ignore - prefer-snake-case: - level: ignore - line-length: - level: warn - rule-length: - level: warn external-reference: level: ignore file-length: @@ -52,7 +46,7 @@ rules: opa-fmt: level: ignore prefer-some-in-iteration: - level: ignore + level: warn prefer-snake-case: level: ignore rule-length: diff --git a/assets/queries/ansible/aws/efs_without_kms/query.rego b/assets/queries/ansible/aws/efs_without_kms/query.rego index 551ae895054..81c9c268106 100644 --- a/assets/queries/ansible/aws/efs_without_kms/query.rego +++ b/assets/queries/ansible/aws/efs_without_kms/query.rego @@ -6,6 +6,8 @@ import data.generic.common as common_lib modules := {"community.aws.efs", "efs"} CxPolicy[result] { + some id, t + some m in modules task := ansLib.tasks[id][t] efs := task[modules[m]] ansLib.checkState(efs) diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego index aba6b1eadb0..c04987d3daa 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/query.rego @@ -4,6 +4,7 @@ import data.generic.ansible as ansLib import data.generic.common as common_lib CxPolicy[result] { + some id, t, m task := ansLib.tasks[id][t] modules := {"community.aws.cloudfront_distribution", "cloudfront_distribution"} cloudfront := task[modules[m]] @@ -24,6 +25,7 @@ CxPolicy[result] { } CxPolicy[result] { + some id, t, m, a task := ansLib.tasks[id][t] modules := {"community.aws.cloudfront_distribution", "cloudfront_distribution"} cloudfront := task[modules[m]] diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego index 33626557256..524686f0930 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/query.rego @@ -30,7 +30,9 @@ is_privileged_port(port) { both_ports := split(port, ":") host_port := both_ports[0] to_number(host_port) < 1024 -} else { #COVERS "CONTAINER" port from short syntax "HOST:CONTAINER" +} #COVERS "CONTAINER" port from short syntax "HOST:CONTAINER" + +else { both_ports := split(port, ":") container_port := both_ports[1] to_number(container_port) < 1024 diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego index b99baf2ac70..a279d05733e 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/query.rego @@ -1,6 +1,7 @@ package Cx CxPolicy[result] { + some i, name resource := input.document[i].command[name][_] resource.Cmd == "maintainer" diff --git a/assets/queries/k8s/role_binding_to_default_service_account/query.rego b/assets/queries/k8s/role_binding_to_default_service_account/query.rego index 5f302156ce0..8252d91c5d5 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/query.rego +++ b/assets/queries/k8s/role_binding_to_default_service_account/query.rego @@ -1,9 +1,12 @@ package Cx +import future.keywords.in + CxPolicy[result] { - document := input.document[i] + some i, c + some document in input.document document.kind == "RoleBinding" - subjects := document.subjects + some subjects in document.subjects subjects[c].kind == "ServiceAccount" subjects[c].name == "default" diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego index 74ba07b792e..a5bcbf66d7c 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego @@ -3,11 +3,12 @@ package Cx import data.generic.terraform as tf_lib CxPolicy[result] { + some i, resourceType, name, key resource := input.document[i].resource[resourceType] labels := resource[name].metadata.labels - regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false + regex.match(`^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`, labels[key]) == false result := { "documentId": input.document[i].id, @@ -18,4 +19,4 @@ CxPolicy[result] { "keyExpectedValue": sprintf("%s[%s].metada.labels[%s] has valid label", [resourceType, name, key]), "keyActualValue": sprintf("%s[%s].metada.labels[%s] has invalid label", [resourceType, name, key]), } -} +} \ No newline at end of file diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego index fd3df0e9727..1b0ca97b5ab 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/query.rego @@ -4,6 +4,7 @@ import data.generic.common as common_lib import data.generic.terraform as tf_lib CxPolicy[result] { + some i, name resource := input.document[i].resource.tencentcloud_mysql_instance[name] resource.internet_service == 1