v0.9.0

This release brings three new rules to Regal, a new Rego-based build system, and improvements to the Go API. Plus a number of improvements, features and bugfixes.

The v0.9.0 release also coincides with some exciting news from our community — users of the Rego Playground now experience Regal integrated in the tool, and have linter violations reported directly in the UI!

New rule: dubious-print-sprintf

Category: testing

This new rule will flag the use of print together with sprintf in it's argument list. The print function takes any number of arguments as it is, and using sprintf negates the benefits of the print functions special handling of undefined values.

For more information, see the docs on dubious-print-sprintf.

Thank you @Ronnie-personal for contributing this rule! 👏

New rule: forbidden-function-call

Category: custom

In the custom category, the new forbidden-function-call rule will allow you to configure a list of built-in functions that should be flagged by Regal if encountered. This could for example be http.send calls, or JWT decoding using HMAC rather than assymetric crypto.

For more information, see the docs on forbidden-function-call.

New rule: chained-rule-body

Category: style

The new chained-rule-body rule will have Regal flag rules where the body is "chained", as this style isn't recommended any more.

For more information, see the docs on chained-rule-body.

Regal in the Rego Playground!

Regal is now integrated in the Rego Playground, and provides users with information on linter violations as they work on their policies!

Thanks @charlieegan3 for your work on this!

Go API (experimental)

While integrations using the Go API is still not recommended, several steps were taken in this release in order to move it closer to a stable state. This work was done in order to get Regal integrated into the Rego Playground.

Documentation

A new page on the Regal's architecture has been added to the docs, which should be helpful for people looking to contribute to Regal, or those curious to learn more about how Regal works.

Using Rego to build Rego that lints Rego!

Regal now uses Rego — via @charlesdaniels eminent rq tool — as a "build tool" of sorts. See this LinkedIn post for more details, and a link to our new build definition file. The development docs have been updated with instructions for using this tool.

While we're on that topic — the new do.rq pr task will run all the formatting, testing and linter steps required to prepare a PR. Make sure to use it when contributing!

Thanks to @srenatus for leading the way on this one!

Other improvements and fixes

• Custom configuration for a rule is no longer required to provide a level attribute. If not provided, the level will be inherited from the default configuration for that rule.
• The walk built-in function is now by default excepted by the function-arg-return rule. See the rule documentation for details.
• The regal lint command now accepts a --metrics flag, which will provide helpful information on where Regal spends most of the time evaluating a project.

Credits

Thank you all who contributed to this release! Special thanks goes out to first time contributors:

• @Ronnie-personal
• @ThomasKingoTM (Bankdata)

You rock! 👏

Changelog

• b1ae6f8: test: allow running "regal" on its own bundle (#286) (@srenatus)
• 2e16be6: Change tap -> repository (@anderseknert)
• 4e48367: Fix: Scaffolding now properly populates templatesge nam… (#277) (@ThomasKingoTM)
• 5d13fbb: Bump actions/checkout from 3 to 4 (#288) (@dependabot[bot])
• 30a2210: Allow not providing level in user configuration (#289) (@anderseknert)
• 2d0bb3d: Add regal test bundle recommendation (@anderseknert)
• 5cc95a6: Check for presence of binary before running e2e tests (#296) (@anderseknert)
• 44da56e: Except walk from function-arg-return (#299) (@anderseknert)
• 4f2d49e: Ensure unused-return-value isn't triggered on function arg return (@anderseknert)
• d65beef: Bump tibdex/github-app-token from 1 to 2 (#308) (@dependabot[bot])
• c6ea324: Add documentation on architecture (#309) (@anderseknert)
• 3045787: Sort table by category and rule name (#310) (@anderseknert)
• d8aff71: Rule: chained-rule-body (#295) (@anderseknert)
• a8403a8: Expose rules and parser opts for use as library (#307) (@charlieegan3)
• 9cf0889: Add note about prod use of Go API (#311) (@charlieegan3)
• c9ed881: Dubious use of print and sprintf (#291) (@Ronnie-personal)
• 0178af9: Add --compare-to-readme flag to regal table (#312) (@anderseknert)
• 1da57a8: Add documentation for dubious-print-sprintf (#314) (@anderseknert)
• bce1cfe: Update documentation resources index (#313) (@anderseknert)
• 8196cc5: Bump goreleaser/goreleaser-action from 4 to 5 (#315) (@dependabot[bot])
• d3d9986: Store list of refs for use by rules (#316) (@anderseknert)
• 88ca661: build: use rq (#319) (@srenatus)
• be6e99d: Rule: forbidden-function-call (custom) (#318) (@anderseknert)
• d3355e1: Add rq pr task to help prepare for PRs (#320) (@anderseknert)
• 2aa25e7: Use Open-Policy-Agent as linguist language (#321) (@anderseknert)
• bb83ebe: build/do.rq: build binary for tasks list if needed (#324) (@srenatus)
• 3011243: do.rq: don't depend on 'ls' (#325) (@srenatus)
• 995ca6a: Metrics (#333) (@anderseknert)
• 83f22ee: Unmarshalling: Remove extra attributes "level" and "ignore" (#335) (@anderseknert)