v0.31.0

This release of Regal updates to OPA v1.1.0, continuing to solidify support for v1 Rego with some nice new rules, performance improvements and bug fixes too.

New Rule: use-object-keys

There are some cases where using object.keys is preferred over using comprehensions. For example:

Avoid

package policy

keys := {k | some k, _ in input.object}

Prefer

package policy

keys := object.keys(input.object)

This is preferred as it more clearly communicates the intent of the code, that is, to get the keys of the object rather than loop over it and collect the keys as you go. More details can be found on the use-object-keys rule page.

New Rule: non-loop-expression

Expressions in loops are evaluated in each iteration of the loop and so it's advisable to avoid using expressions which do not depend on the loop variable within the looping part of a rule in order to improve performance.

Avoid

package policy
allow if {
    some email in input.emails
    admin in input.roles # <- this is not required in the loop
    endswith(email, "@example.com")
}

Prefer

package policy
allow if {
    admin in input.roles # <- moved out of the loop
    some email in input.emails
    endswith(email, "@example.com")
}

This rule can't catch all cases, so still be on the look out. More details can be found on the non-loop-expression rule page.

Fixing non-raw-regex-pattern

The non-raw-regex-pattern rule can now be automatically fixed with regal fix or with a CodeAction for language server clients. #1382

Configuration File Loading

Regal will now use a ~/.config/regal if no parent configuration is found. This is useful when working on Rego in temporary directories. #1378

Regal's language server will now use configuration files in the workspace tree if they exist rather than only looking at parent directories. This more closely matches the behavior of the lint command. #1372

Notable Improvements

• Avoid 'error' paths in our linting Rego to reduce allocations. #1351, #1360, #1374
• Implement the opa-fmt rule using in Rego, removing the need for a Go rule
  linting path entirely. #1393
• More consistently use shared functions and remove dead code to make Regal easier to maintain. #1349,
  #1392, #1383, #1379, #1358, #1356, #1355
• @anaypurohit0907 made their first PR in #1369 adding a new summary to the end of the compact report showing the number of files and violations. Also, #1387 adds a similar improvement to the end of the default 'Pretty' reporter output breaking down errors and warnings.
• Documentation for the deprecated-builtin rule now explains the upgrade process. #1366, thanks @tsandall for the suggestion!

Notable Fixes & Updates

• The use-if rule will now use only the rule name as the violation location, rather than the whole rule. #1362
• Parse errors are now shown in file diagnostics to language server clients
  after a regression. #1408
• @jglasovic made their first PR in #1345
  fixing a bug where the Debug CodeLens was left enabled.
• Better handling of .regal.yaml file use. #1357, thanks @grosser for the input here.
• Some great new open source adopters! #1384, thanks @chendrix for the Regal amigurumi!

Changelog

• 1eff70a: fix: lsp - filter out regal.debug codelens (#1345) (@jglasovic)
• 93faa40: [create-pull-request] automated change (@charlieegan3)
• 193224a: [create-pull-request] automated change (@charlieegan3)
• 434dabf: build(deps): bump golangci/golangci-lint-action (#1350) (@dependabot[bot])
• d7f522e: Add workspace folder type, and "support" that capability (#1347) (@anderseknert)
• a5d1742: Language server refactoring (#1349) (@anderseknert)
• 7b693ee: perf: move config check out of loop (#1351) (@anderseknert)
• d9749f4: lsp: Ensure parse errors are saved as diagnostics correctly (#1352) (@charlieegan3)
• bea7398: Fix missing annotations in LSP parsing (#1354) (@anderseknert)
• 0a17534: chore: Use regal's parse options following (#1355) (@charlieegan3)
• 760b484: fix: Remove mandatory fixes (#1356) (@charlieegan3)
• 2b25493: config: Search for .regal.yaml and use for roots (#1357) (@charlieegan3)
• 6880526: Remove custom Ref stringer (#1359) (@anderseknert)
• 0d506bb: refactor: better use of test helpers (#1358) (@anderseknert)
• b29ad44: perf: always include ignore_files in data (#1360) (@anderseknert)
• 856bf50: The compact output format should include a summary #1364 (#1369) (@anaypurohit0907)
• 9020000: Some style fixes (#1370) (@anderseknert)
• f78f94b: fix: better location reporting in use-if rule (#1362) (@anderseknert)
• 1175266: docs: deprecated built-in replacements (#1366) (@anderseknert)
• 33408e5: Add optional govet checks (#1368) (@anderseknert)
• 1db229a: Small fixes (#1367) (@anderseknert)
• 6430f86: build(deps): bump the dependencies group with 3 updates (#1371) (@dependabot[bot])
• 14cbc3b: Bump OPA to v1.1.0 (#1373) (@anderseknert)
• e1247ea: Don't return error from regal.last (#1374) (@anderseknert)
• 0e794a2: lsp: Use nested workspace configuration if found (#1372) (@charlieegan3)
• d41c3da: [create-pull-request] automated change (#1376) (@github-actions[bot])
• 1f9e2e4: Use .Keys() and .KeysSorted() from OPA (#1379) (@anderseknert)
• a295fef: config: Use global user config if required (#1378) (@charlieegan3)
• 1a3fcfb: linter: Show error if rule or category is invalid (#1381) (@charlieegan3)
• 0e38b37: Add a few more adopters (#1384) (@anderseknert)
• cb81676: build(deps): bump the dependencies group with 2 updates (#1385) (@dependabot[bot])
• 4777c2b: build(deps): bump github/codeql-action in the dependencies group (#1386) (@dependabot[bot])
• be9bc33: fix: non-raw regex pattern (#1382) (@charlieegan3)
• 13a4980: lsp: Add statsviz for profiling visuals (#1388) (@charlieegan3)
• ba53d75: Consistently use new Set type (#1383) (@anderseknert)
• 4347b8a: lsp/test: Error in test should be log instead (#1389) (@charlieegan3)
• 8c15f1c: [create-pull-request] automated change (@charlieegan3)
• a283bee: Remove unused fixer code (#1392) (@anderseknert)
• 194116f: Rego-based opa-fmt (#1393) (@anderseknert)
• 69e3756: Be specific about number of errors vs warnings in regal lint summary #821 (#1387) (@anaypurohit0907)
• 48c9e5e: Some minor cleanups in reporter code (#1397) (@anderseknert)
• a4e3592: Fix false positive in unused-output-variable (#1398) (@anderseknert)
• c75d66f: Rule: use-object-keys (#1399) (@anderseknert)
• 52c7c9b: refactor: simplify data bundle creation (#1400) (@anderseknert)
• 3e6ef5b: [create-pull-request] automated change (#1402) (@github-actions[bot])
• 674e441: lsp: update log messages for root dir note (#1395) (@charlieegan3)
• 76e0760: build(deps): bump the dependencies group with 2 updates (#1404) (@dependabot[bot])
• c6d1a9d: Roast v0.8.1 (#1406) (@anderseknert)
• 539ba39: bundle: Add non-loop-expression rule (#1401) (@charlieegan3)
• 06af4df: lsp: Correctly parse eval and debug params (#1407) (@charlieegan3)
• b29e759: lsp: show parse errors in diagnostics (#1408) (@charlieegan3)

v0.30.2

This release includes a fix for an issue where a missing Regal dir would cause a fatal error when running regal fix (#1341), thanks @grosser for the report again.

Also included is an a fix for an issue where Regal would template files without a Regal extension after renaming them from a Rego file.

Changelog

• df90dec: lsp: ignore after rename if not Rego (#1340) (@charlieegan3)
• 2c6ee8e: fix: add error based on expected regal dir (#1343) (@charlieegan3)

v0.30.1

Regal v0.30.1 is a patch release following the significant v0.30.0 release with first class OPA v1.0.0 support. This patch release addresses some issues discovered in the language server relating to the OPA update as well as a minor new feature.

New options for Regal config location

In addition to the .regal/config.yaml path we've used thus far, it's now possible to use a .regal.yaml instead. This is intended to be used by those preferring a single file rather than a dedicated directory. The config directory will still be required for users with custom rules. It is not possible to use $root/.regal/config.yaml and $root/.regal.yaml in the same directory at the same time. Regal will still use the config file nearest the root in the directory hierarchy, even if they are of different types. Thanks to @grosser for the suggestion!

Changelog

• lsp/completions: Reorder for cheap rego.v1 check by @charlieegan3 in #1335
• docs: opa-fmt v1/v0 notes by @charlieegan3 in #1336
• tidy: Use cmp.Or in a few places by @charlieegan3 in #1337
• Upgrade Roast to v0.6.0 by @anderseknert in #1338
• lsp: Rename correctly when conflicting by @charlieegan3 in #1334
• config: Allow loading of .regal.yaml file too by @charlieegan3 in #1339

Full Changelog: v0.30.0...v0.30.1

v0.30.0

Regal v0.30.0 is the first release to fully support OPA 1.0 while at the same time being fully compatible with older versions of OPA and Rego. This process helped improve both Regal and OPA, as a few things to fix in both projects got identified along the way!

Full support for OPA 1.0, while maintaining compatibility with earlier versions

Regal now seamlessly supports working with both pre-1.0 and 1.0+ policies, or even a mix of both! See Regal's new documentation on OPA 1.0 to learn more about how to get the most out of Regal when working with Rego of any version.

As part of this upgrade, all the Regal docs have now been updated to use OPA/Rego 1.0 syntax, in examples and anywhere else Rego is used.

Finally, and perhaps needless to say — Regal itself and all of its linter policies are now upgraded to OPA 1.0!

Much Faster Linting

A mission that started out with the goal of improving the performance of Regal's linter, ended up with multiple PR's
to improve evaluation performance in OPA. This of course benefits not just Regal, but all users of OPA! However, since
the regal lint command was used for benchmarking, most optimizations have been along the hot path of that command.

Linting with Regal is now almost 2x as fast as before, while consuming 2/3 of the memory previously needed. And we have
more improvements lined up in OPA for the next release, so stay tuned!

Notable Improvements

• The evaluation code lens now supports using an input.yaml file as input, in addition to input.json. Thanks @mrgadgil for suggesting this feature!
• The redundant-existence-check rule now also reports redudant checks of function arguments
• New InputFromTextWithOptions functions for users of the Go API
• Faster evaluation by avoiding custom function calls in hot path
• Reduced time to evaluation by performance improvements in Roast input conversion
• The language server now logs the version of Regal and the path to the binary at startup, helping users know which Regal binary is being used

Notable Fixes

• Fixed issue where --force wasn't honored by regal fix. Thanks @grosser for reporting that!
• Fixed false positive in pointless-reassignment rule
• Fixed false positive in top-level-iteration rule
• Fixed false positive in external-reference rule. Thanks @tsandall for reporting the issue!
• The evaluate code lens now works even when input.json/input.yaml isn't found
• Improved docs for directory-package-mismatch
• Fixed nil dereference in JUnit reporter. Thanks @OhMyGuus for reporting the issue!

Changelog

• 5b7d423: build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.0 (#1263) (@dependabot[bot])
• 99752a0: build(deps): bump github/codeql-action from 3.27.3 to 3.27.4 (#1264) (@dependabot[bot])
• f078127: build(deps): bump codecov/codecov-action from 5.0.0 to 5.0.2 (#1268) (@dependabot[bot])
• c8a0329: lsp: Use notify for sending messages (#1267) (@charlieegan3)
• abd9504: build(deps): bump cross-spawn from 7.0.3 to 7.0.5 in /build (#1266) (@dependabot[bot])
• acd22f7: Add support for using input.yaml in Evaluate code lens (#1269) (@anderseknert)
• 183584a: build(deps): bump codecov/codecov-action from 5.0.2 to 5.0.4 (#1270) (@dependabot[bot])
• 6716d37: Less frequent, and grouped dependabot updates (#1271) (@anderseknert)
• aa65332: build(deps): bump smol-toml from 1.3.0 to 1.3.1 in /build (#1272) (@dependabot[bot])
• 34ba147: build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#1274) (@dependabot[bot])
• f61f52b: build(deps): bump codecov/codecov-action from 5.0.4 to 5.0.7 (#1273) (@dependabot[bot])
• 46d913b: rules: Add InputFromTextWithOptions for go users (#1278) (@charlieegan3)
• 2d6b61c: Fix issue where --force wasn't honored in git check (#1282) (@anderseknert)
• da251c9: Enable a few more golangci-lint rules (#1280) (@anderseknert)
• 87c2ff3: Have redundant-existence-check include function args (#1279) (@anderseknert)
• 0a88ab3: Fix false positive in top-level-assignment (#1287) (@anderseknert)
• c0ac18f: Fix false positive in pointless-reassignment (#1286) (@anderseknert)
• 8759f08: Fix false positive in external-reference and vars in composite values (#1284) (@anderseknert)
• 0db5b5f: Avoid allocations by not calling custom functions on hot path (#1289) (@anderseknert)
• 69b43a8: build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#1292) (@dependabot[bot])
• 981ac1d: build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#1291) (@dependabot[bot])
• bc46bd6: build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 (#1290) (@dependabot[bot])
• 668950a: dev: Fix golangci-lint reporting issues in ignored files in VS Code (#1296) (@anderseknert)
• 36a72d4: Roast v0.5.0, faster input conversion (#1293) (@anderseknert)
• 8a096a1: build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 (#1297) (@dependabot[bot])
• 9102b94: Evaluate should work even when input missing (#1295) (@anderseknert)
• 00e5341: dev: Fix integration test that used old URL for capabilities (#1304) (@anderseknert)
• 8d0d888: docs: add note about roots in directory-package-mismatch rule (#1303) (@charlieegan3)
• 44182c7: build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 (#1301) (@dependabot[bot])
• d3d096d: build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (#1302) (@dependabot[bot])
• 7f8e54d: [create-pull-request] automated change (@charlieegan3)
• 748c2e8: Fix nil pointer dereference in JUnit reporter (#1307) (@anderseknert)
• 0673c09: hints: remove tail anchor for multiple-default-rules hint (#1314) (@srenatus)
• bac6333: build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 (#1311) (@dependabot[bot])
• cc08ab1: build(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 (#1309) (@dependabot[bot])
• 46c5205: build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 (#1310) (@dependabot[bot])
• fb3ac2e: build(deps): bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (#1312) (@dependabot[bot])
• 550d05c: build(deps): bump github.com/go-git/go-git/v5 in the dependencies group (#1313) (@dependabot[bot])
• e31c132: dependabot: Update GHA dependencies in groups (#1315) (@charlieegan3)
• 4459436: build(deps): bump github.com/go-git/go-git/v5 in the dependencies group (#1316) (@dependabot[bot])
• 34f9827: Use concurrent map implementation (#1318) (@anderseknert)
• 2d7753f: tests: Skip server multi file test (#1320) (@charlieegan3)
• 6fecf4c: Add new blog! (#1308) (@anderseknert)
• b909a5c: [create-pull-request] automated change (@charlieegan3)
• d445931: cmd/languageserver: Log path & version at startup (#1326) (@charlieegan3)
• 4434de2: [create-pull-request] automated change (#1330) (@github-actions[bot])
• cf1632a: build(deps): bump the dependencies group with 2 updates (#1331) (@dependabot[bot])
• d569e50: Prepare for OPA 1.0 (#1317) (@anderseknert)
• 75b57bb: build(deps): bump actions/upload-artifact in the dependencies group (#1332) (@dependabot[bot])
• 351b5bb: Update badge to 1.0.0 (#1333) (@anderseknert)

v0.29.2

This patch release fixes an issue where the new defer-assignment rule would sometimes report a false positive when the variable was used inside of a with clause on the next line.

Thanks @nevumx for reporting the issue!

Changelog

• 7e74d12: [create-pull-request] automated change (#1261) (@github-actions[bot])
• 20a5cfa: Fix false positive in defer-assignment and with (#1262) (@anderseknert)

v0.29.1

This patch release fixes an issue where custom (i.e. user-created) aggregate rules¹. wouldn't work as expected when the condition for a violation was the absence of aggregated data. This could for example be a rule that says "at least one rule must be named allow, and it must have a default assignment to false".

Upgrading from v0.29.0 is not required unless you're writing custom Regal rules.

Many thanks to @shibataka000 for reporting the issue, and in such an exemplary way ⭐

Changelog

• 0c6e8ed: build(deps): bump github/codeql-action from 3.27.2 to 3.27.3 (#1258) (@dependabot[bot])
• 743a65b: Fix custom rules that report on the absence of aggregates (#1260) (@anderseknert)

1. scroll below the table of rules for an explanation of what aggregate rules are ↩

v0.29.0

This is a big release, spanning more than a month of development! Regal v0.29.0 brings new linter rules, performance improvements and new features to both the linter and the language server.

New rules

defer-assignment

Category: performance

The new defer-assignment rule helps detect when assignment can be moved to later in the rule body, possibly avoiding it at all if the conditions below don’t evaluate.

allow if {
    # this assignment can be deferred to after the roles check
    resp := http.send({"method": "get", "url": "http:localhost"})
    
    "rego hacker" in input.user.roles
    
    resp.status_code == 200
}

This can improve performance by having less to evaluate, and it makes policies easier to read. Double win!

For more information, see the docs on defer-assignment.

walk-no-path

Category: performance

When using the walk built-in function on large data structures, traversing only the values without building a path to each node can save a considerable amout of time. The new walk-no-path rule will detect when the assigned path is unused and can be replaced by a wildcard variable, which tells OPA to skip the construction of the path. This dramatically improves the performance of the function.

found if {
    # path assigned but never referenced in the rule
    walk(haystack, [path, value])

    value == "needle"
}

# should be replaced by

found if {
    walk(haystack, [_, value])

    value == "needle"
}

For more information, see the docs on walk-no-path.

rule-assigns-default

Category: bugs

Assigning a rule the same value as the default value set for the rule is always a bug, and while hopefully not too common, now reported by Regal.

default threshold := 1

threshold := 0 if {
    # some conditions
}

# this is already the default condition!
# and having this removed will have no impact on how
# the rule evaluates.. don't do this!
threshold := 1 if {
    # some conditions
}

For more information, see the docs on rule-assigns-default.

Language Server

Evaluation Code Lens for Neovim

We were exicted to learn the Code Lens for Evaluation (“click to evaluate”) feature we built now works not only in VS Code but also in Neovim. This thanks to work by regular contributor @rinx. Thank you! The language server docs have now been updated to reflect this.

Improved Enterprise OPA integration

Setting the capabilities engine to eopa will now have the language sever recognize Enterprise OPA-specific built-in functions, and provide both auto-completions for those as well as informative tooltips on hover. Clicking links in the tooltip now correctly brings you to the Styra docs for the Enterprise OPA built-in functions.

Notable Improvements

• The leaked-internal-reference rule is now ignored in tests by default. See the docs for this rule if you wish to enable this.
• The prefer-snake-case rule now also reports violations in package names.
• The same prepared query is now used both for linting and to collect data for aggregate rules, saving about 150 milliseconds for any given regal lint run.
• Regal’s own capabilities and provided configuration is now available when running the evaluation code lens, simplifying development of custom rules.
• The pretty reporting format will now print the severity level of a violation when no color support is detected in the terminal (reported by @geirs73)
• The --instrument flag from opa eval is now supported also by regal lint, providing detailed information about where most time is spent while linting.

Notable Fixes

• Using input.json for the evaluation code lens now works reliably on Windows. As does ourcing a capabilities.json file from the filesystem. Thanks to @geirs73 for reporting these issues!
• Global ignore directives from .regal/config.yaml would sometimes be parsed differently depending on read by regal lint or the language server. This has now been fixed.
• Fix false positive in inconsistent-args rule when an arity mismatch should rather be handled by the compiler. Thanks @tsandall for reporting that!
• Fix a false positive in use-contains rule when not importing rego.v1. This turned out to be an issue originating in OPA, so we fixed it there, and later included in Regal by upgrading the dependency to the latest OPA version v0.70.0. Thanks @drewcorlin1 for reporting the issue!

Changelog

• 0af7c91: Scorecard updates (#1182) (@charlieegan3)
• 24f0fd7: Use defer to unlock mutex (#1186) (@anderseknert)
• da12bd0: build(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 (#1185) (@dependabot[bot])
• a238a85: build(deps): bump github/codeql-action from 3.26.11 to 3.26.12 (#1184) (@dependabot[bot])
• 03564f8: build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#1183) (@dependabot[bot])
• afce347: lsp: Update rego-by-examples index (#1181) (@github-actions[bot])
• e3fa956: linter: use a buffered error channel (#1187) (@charlieegan3)
• 1dbfc7e: lsp: enable levelled logging (#1188) (@charlieegan3)
• c5cee41: build(deps): bump actions/upload-artifact from 4.4.1 to 4.4.2 (#1190) (@dependabot[bot])
• 6663839: build(deps): bump actions/cache from 4.1.0 to 4.1.1 (#1189) (@dependabot[bot])
• 3b7530a: Add UNIwise company to adopters.md (#1191) (@Graloth)
• 95f4abf: lsp: Update rego-by-examples index (#1193) (@github-actions[bot])
• 0cf7506: build(deps): bump actions/upload-artifact from 4.4.2 to 4.4.3 (#1194) (@dependabot[bot])
• 78e2bba: workflow: use different branch (and also PR) for caps updates (@srenatus)
• 649d5b9: [create-pull-request] automated change (@srenatus)
• b58f999: lsp: Update rego-by-examples index (@charlieegan3)
• 672bb15: docs: write about evaluation code lens support in neovim (#1198) (@rinx)
• e46ef92: build(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (#1199) (@dependabot[bot])
• df4d44e: docs: Fix typos in config examples (#1201) (@anderseknert)
• 8504347: io: Address path input.json separator issue (#1203) (@charlieegan3)
• d04be3d: Make prefer-snake-case check package name (#1206) (@anderseknert)
• 5bc9d1d: Handle file:// URLs in exclusion policy (#1207) (@anderseknert)
• d39da24: Improve error messages for incorrect capabilities version (#1208) (@anderseknert)
• 173a992: config: Generate C:-style capabilities paths (#1209) (@charlieegan3)
• 63b90e1: Use filepath.WalkDir instead of filepath.Walk (#1210) (@anderseknert)
• 234e36b: lint/rpt: Handle no-color ttys (#1213) (@charlieegan3)
• 877372b: Rule: defer-assignment (#1215) (@anderseknert)
• 0355ad7: build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 (#1216) (@dependabot[bot])
• 6b7e00b: lsp/eval: Load capabilities and config into eval (#1217) (@charlieegan3)
• 0ce82ae: Rule: walk-no-path (#1219) (@anderseknert)
• b45c14b: lsp/eval: Remove missed print statement (#1220) (@charlieegan3)
• b9a2531: build(deps): bump actions/cache from 4.1.1 to 4.1.2 (#1222) (@dependabot[bot])
• 7ff216b: build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#1221) (@dependabot[bot])
• 9fcc5ee: build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#1223) (@dependabot[bot])
• 2337dc8: build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#1224) (@dependabot[bot])
• 6e9264d: [create-pull-request] automated change (#1225) (@github-actions[bot])
• 96e4804: rule: Disable leaked_internal_reference for test files (#1228) (@charlieegan3)
• 3c48af2: build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#1229) (@dependabot[bot])
• aeec96b: lsp: Fix inconsistent processing of ignores (#1227) (@charlieegan3)
• e07a5d7: lsp: format root directory files (#1232) (@charlieegan3)
• 3b9d897: Remove leaked-internal-reference comments (#1231) (@charlieegan3)
• b13c9c5: [create-pull-request] automated change (@srenatus)
• 1499393...

v0.28.0

New Rule: missing-metadata #1131

The new missing-metadata rule helps ensure policies are documented by requiring METADATA comments on public packages and rules. Metadata comments are used to explain functionality and annotate Rego constructs with other data.

Note: missing-metadata is a custom rule and so is not enabled by default for all users.

fixer: Automated fixing of directory-package-mismatch

This release brings improvements to regal fix, the command to automatically fix supported violations (#1120, #1127).

Fixes for the directory-package-mismatch violations involve moving files based on their packages. For example a file with package foo.bar in policies/policy.rego would need to be moved to foo/policy.rego. In previous versions of Regal, when multiple files in a large code base with the same filename needed to be moved to the same package directory, Regal would output a confusing error message.

Regal v0.28.0 outputs a clear error message by default and adds a new --on-conflict=rename modifying flag to allow conflicting files to automatically be renamed when this scenario is encountered.

Linter Improvements

• Support for linting Rego syntax passed to Regal via Standard Input (stdin).
• An important yet under-the-hood improvement to use a new data format for AST node locations. This makes violation locations more specific and brings a 5% linting speed improvement too.

Language Server Performance Improvements

• An update to the implementation of the server to reduce the number of expensive ‘full workspace’ linting jobs. By caching the aggregate rule data and updating it incrementally, full workspace jobs can now be completed in less than a third of the time previously taken.
• Making CodeLenses configurable makes supporting other clients easier. Thanks @rinx for the work in #1176 and for all the work you do to make Regal and Neovim play nice.
• Update to the server templating to better handle projects without a Regal config file. Files in the workspace root will no longer be templated either, but will still violate directory-package-mismatch.
• Makes an improvement to ensure the loading of the Regal rules happens once, saving around 30ms on every keypress-trigger, file diagnostic update event.

Dependency Updates

• anderseknert/roast v0.2.0 -> v0.4.2 #1140, #1170
• open-policy-agent/opa v0.68.0 -> v0.69.0 #1152

Github Actions Updates

• golangci/golangci-lint-action 6.1.0 -> 6.1.1 #1163
• peter-evans/create-pull-request 7.0.3 -> 7.0.5 #1114
• github/codeql-action 3.26.7 -> 3.26.11 #1117, #1137, #1157, #1174
• actions/checkout 4.1.7 -> 4.2.0 #1142
• codecov/codecov-action 4.5.0 -> 4.6.0 #1162, #1164
• actions/cache 4.0.2 -> 4.1.0 #1179

Changelog

• 63ec93d: docs: correct line endings for GIF files (#1114) (@charlieegan3)
• 980f726: build(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#1116) (@dependabot[bot])
• 54c8c9d: build(deps): bump github/codeql-action from 3.26.7 to 3.26.8 (#1117) (@dependabot[bot])
• 95a1bf3: tests: Minor test wait improvement (#1121) (@charlieegan3)
• 838c6fa: Allow regal lint - to lint from stdin (#1122) (@anderseknert)
• a23bb63: fixer: Address rename conflicts with explanation (#1120) (@charlieegan3)
• 23cb827: fixer: add --on-conflict flag to support renaming (#1127) (@charlieegan3)
• d41bea9: debug: registering custom built-ins (#1128) (@johanfylling)
• 4aa2fef: tests: Address incorrect built-in function check (#1129) (@charlieegan3)
• f6f2f6d: Rule: missing-metadata (#1131) (@anderseknert)
• ab3b3b8: tests: Remove global builtins state (#1134) (@charlieegan3)
• b424eb6: Use betteralign for struct alignment (#1132) (@anderseknert)
• 464a7bc: Completions: don't suggest loop vars as locals on same line (#1135) (@anderseknert)
• 6ecb36c: bundle: Load bundle once (#1136) (@charlieegan3)
• 7cd8744: build(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#1137) (@dependabot[bot])
• a201715: linter: support single file aggregate data collection and parameterised aggregate data in Lint() (#1139) (@charlieegan3)
• 2730887: Bump roast to v0.3.0 and live free from annotations on module (#1140) (@anderseknert)
• 64cba9e: build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#1142) (@dependabot[bot])
• efd4420: Fix detached-metadata issues (#1143) (@anderseknert)
• 75db465: Link to source code in rule docs (#1144) (@anderseknert)
• e205cd9: Go code cleanup (#1148) (@anderseknert)
• 3cba1c6: fix: fix var name for commit hash (#1150) (@rinx)
• 4a97b56: Adapt to new location format (#1153) (@anderseknert)
• 036a6b6: Bump OPA to v0.69.0 (#1152) (@anderseknert)
• 06db4bb: internal/lsp/hover: "fix" codeql finding (#1156) (@srenatus)
• bfc0f9e: internal/capabilities: update eopa caps (@srenatus)
• 1161ede: CONTRIBUTING: update script name (@srenatus)
• 81edb95: workflow: add update-caps (#1158) (@srenatus)
• f7acfda: build(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#1157) (@dependabot[bot])
• a55d2f4: Fix some minor issues reported by IntelliJ (#1159) (@anderseknert)
• 2f94fc7: Fix nits (#1161) (@srenatus)
• f208f46: build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (#1166) (@dependabot[bot])
• 94fea76: build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#1162) (@dependabot[bot])
• 7b5cd08: Exclude print from "function return value in args" check (#1165) (@anderseknert)
• 8ca0197: Custom rule authoring improvements (#1168) (@anderseknert)
• 85b7be7: Bump roast to v0.4.2 to solve data race (#1170) (@anderseknert)
• 67162e6: lsp: Update LSP linting to run incrementally after file change (#1146) (@charlieegan3)
• f70b892: build(deps): bump github/codeql-action from 3.26.10 to 3.26.11 (#1174) (@dependabot[bot])
• fc88817: Correct example index rego path (#1177) (@charlieegan3)
• b751858: lsp/templating: gracefully handle unknown root (#1171) (@charlieegan3)
• 69fb6ca: Use test logger for client handler (#1178) (@charlieegan3)
• ed287dc: build(deps): bump actions/cache from 4.0.2 to 4.1.0 (#1179) (@dependabot[bot])
• 9503967: feat(lsp): add initialization options about codelenses (#1176) (@rinx)

v0.27.0

Debug Adapter Protocol Support

Back in #926 (v0.26.0), support was added for the Debug Adapter Protocol (DAP), based on the new OPA SDK added in #6876 (documentation). This release improves on this making it ready for consumption in clients. Namely, the addition of a new Debug Code Lens in #1103 and a bug fix for ast.ref_to_string which brings the Regal implementation inline with OPA’s (#1106).

Please see our documentation here to get started.

Neovim DAP Support

Thanks to community member @rinx, DAP support is also available in the Neovim editor. This is based on nvim-dap, and @rinx’s own project nvim-dap-rego. This is an awesome contribution which represents an important improvement for Neovim users of Regal. Thank you Rintaro Okamura for all your work here, it is appreciated.

New Rule: comprehension-term-assignment

This rule flags cases where an intermediate assignment is used within a comprehension body when the value can be directly used as the comprehension term. It enforces the removal of redundant assignments, encouraging more concise and readable code.

# avoid
names := [name |
    some user in input.users
    name := user.name
]

# prefer
names := [user.name | some user in input.users]

Compiler Stage Source Explorer

A new Source Action has been added to allow users of compatible clients to explore the compiler stages of the Rego code they’re working on.

By integrating opa-explorer with Regal, it’s now possible to launch a web server to view the explorer output. Users will see a "Source Action" in the context menu of Rego files, which opens the explorer for that file. This feature is currently limited to VS Code due to available commands. Currently, only a single file is loaded into the explorer for compilation.

Source Action shown in VS Code

Browser showing the given file's compiler explorer

Test Flake Fixes

This release contains a number of fixes for flakey tests that have been disrupting the contributor experience. If you experience flakes and re-run checks on a PR, please leave a comment to let us know so we can look into it. #1112, #1102, #1101

Changelog

• b567b5d: Rule: comprehension-term-assignment (#1098) (@anderseknert)
• da50d28: Add source action to explore compiler stages (#1096) (@anderseknert)
• a672964: lsp: Make length check of inlay hints fatal (#1101) (@charlieegan3)
• b4e5a8e: lsp: Update contents before diagnosticRequestFile (#1100) (@charlieegan3)
• d754094: Address races in test cases (#1102) (@charlieegan3)
• 822e42c: Add Debug Code Lens (#1103) (@anderseknert)
• df31dda: More stringent ast.ref_to_string (#1106) (@anderseknert)
• ce26bbc: fix: sprintf-arguments-mismatchfalse positive when var used as format (#1107) (@anderseknert)
• 67dc988: build(deps): bump peter-evans/create-pull-request from 7.0.1 to 7.0.2 (#1108) (@dependabot[bot])
• 7bf7685: docs/editor: write about nvim-dap (#1109) (@rinx)
• 03f14ff: build(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#1110) (@dependabot[bot])
• ba11c48: build(deps): bump peter-evans/create-pull-request from 7.0.2 to 7.0.3 (#1111) (@dependabot[bot])
• 06734bb: lsp: Address test concurrency issues (#1112) (@charlieegan3)
• f1606de: docs: Add docs for DAP support (#1113) (@charlieegan3)

v0.26.2

This releases contains a bug fixes for an issue introduced in v0.26.0 as well as a number of other minor improvements.

Notable Bug fixes:

• #1087 fixes an issue in the marshalling of ASTs using RoAST
• #1056 Makes a change to no longer suggest built in functions for default rules
• #1065 fixes an issue where git was required even when fixing in dry run mode
• #1069 fixes an edge case in use-some-for-output-vars
• #1078, #1080, #1083, #1085 fix issues relating to file rename updates from the client
• #1093 addresses an issue where the fix command produced the incorrect result due to relative paths
• #1081 ensures that .manifest files are correctly detected as 'roots' when fixing

New features:

• #1059 updates the language server to suggest boolean values at relevant times
• #1088 adds a new feature for rule authors to use the files from their project as input for evaluation

Changelog

• b1afdf6: build(deps): bump peter-evans/create-pull-request from 7.0.0 to 7.0.1 (#1057) (@dependabot[bot])
• 9c6a0c9: completion: Don't show builtins on default rules (#1056) (@charlieegan3)
• dd9ee43: Increase test coverage (#1058) (@anderseknert)
• 410d775: lsp/completions: add boolean provider (#1059) (@charlieegan3)
• 337862e: tests: Fatal error when no inlay hints are found (#1060) (@charlieegan3)
• 1ef7511: cmd/fix: Only require git when dry-run unset (#1065) (@charlieegan3)
• 8778ec2: fix: Have use-some-for-output-vars find comprehension body vars (#1069) (@anderseknert)
• d579c9c: build: introduce regal_standalone build flag, use for lint's "fix" hint (#1070) (@srenatus)
• 2690748: 100% test coverage (#1074) (@anderseknert)
• 2e07303: Remove ast.all_refs (#1076) (@anderseknert)
• 332f6dd: Ensure custom rules docs are up to date (#1079) (@anderseknert)
• 28bac91: lsp: Address empty module issues on rename (#1078) (@charlieegan3)
• 6badb5d: lsp: Always send empty diagnostics when deleted (#1080) (@charlieegan3)
• 146895c: lsp: Correct Path to URI encoding (#1083) (@charlieegan3)
• 71e17a3: e2e: Sort output from fix hint (#1084) (@charlieegan3)
• a562087: Fix issue where .manifest files didn't register as roots (#1081) (@anderseknert)
• 786b89e: Bump roast to v0.2.0 to ensure annotations encodes correctly (#1087) (@anderseknert)
• 3bbfd1e: Add regal eval:use-as-input directive (#1088) (@anderseknert)
• 0c1ef19: lsp: Rename on template (#1085) (@charlieegan3)
• 52f3377: lsp: Fix Eval issue caused by missing comments (#1091) (@charlieegan3)
• 6f9b32f: cmd/fix: Address relative path root matching (#1093) (@charlieegan3)