feat(rego): migrate result function from Go

aquasecurity · Jan 22, 2024 · 026cee8 · 026cee8
1 parent b40fafa
commit 026cee8
Show file tree

Hide file tree

Showing 204 changed files with 240 additions and 7 deletions.
diff --git a/.github/workflows/test-rego.yaml b/.github/workflows/test-rego.yaml
@@ -20,8 +20,10 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+
       - name: Setup OPA
         uses: ./.github/actions/setup-opa
+
       - name: OPA Format
         run: |
           files=$(opa fmt --list . | grep -v vendor || true)
@@ -30,8 +32,6 @@ jobs:
             echo "$files"
             exit 1
           fi
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-          cache-dependency-path: go.sum
+
+      - name: OPA Test
+        run: make rego-test
diff --git a/Makefile b/Makefile
@@ -4,12 +4,17 @@ DYNAMIC_REGO_FOLDER=./checks/kubernetes/policies/dynamic
 test:
 	go test -v ./...
 
+
 .PHONY: rego
-rego: fmt-rego
+rego: fmt-rego test-rego
+
+.PHONY: test-rego
+test-rego: 
+	opa test -v checks/ lib/
 
 .PHONY: fmt-rego
 fmt-rego:
-	opa fmt -w checks/
+	opa fmt -w checks/ lib/
 
 .PHONY: bundle
 bundle: create-bundle verify-bundle

diff --git a/checks/cloud/aws/iam/filter_iam_pass_role.rego b/checks/cloud/aws/iam/filter_iam_pass_role.rego
@@ -22,6 +22,8 @@
 #           provider: aws
 package builtin.aws.iam.aws0342
 
+import data.lib.result
+
 allows_permission(statements, permission, effect) {
 	statement := statements[_]
 	statement.Effect == effect

diff --git a/checks/cloud/aws/rds/disable_public_access.rego b/checks/cloud/aws/rds/disable_public_access.rego
@@ -26,6 +26,8 @@
 
 package builtin.aws.rds.aws0180
 
+import data.lib.result
+
 deny[res] {
 	instance := input.aws.rds.instances[_]
 	instance.publicaccess.value

diff --git a/checks/cloud/aws/rds/enable_cluster_deletion_protection.rego b/checks/cloud/aws/rds/enable_cluster_deletion_protection.rego
@@ -21,6 +21,8 @@
 #           provider: aws
 package builtin.aws.rds.aws0343
 
+import data.lib.result
+
 deny[res] {
 	cluster := input.aws.rds.clusters[_]
 	not cluster.deletionprotection.value

diff --git a/checks/cloud/aws/rds/enable_deletion_protection.rego b/checks/cloud/aws/rds/enable_deletion_protection.rego
@@ -21,6 +21,8 @@
 #           provider: aws
 package builtin.aws.rds.aws0177
 
+import data.lib.result
+
 deny[res] {
 	instance := input.aws.rds.instances[_]
 	not instance.deletionprotection.value

diff --git a/checks/cloud/aws/rds/enable_iam_auth.rego b/checks/cloud/aws/rds/enable_iam_auth.rego
@@ -21,6 +21,8 @@
 #           provider: aws
 package builtin.aws.rds.aws0176
 
+import data.lib.result
+
 deny[res] {
 	instance := input.aws.rds.instances[_]
 	instance.engine.value == ["postgres", "mysql"][_]

diff --git a/checks/cloud/aws/s3/dns_compliant_name.rego b/checks/cloud/aws/s3/dns_compliant_name.rego
@@ -22,6 +22,8 @@
 #           provider: aws
 package builtin.aws.s3.aws0320
 
+import data.lib.result
+
 deny[res] {
 	bucket := input.aws.s3.buckets[_]
 	indexof(bucket.name.value, ".") != -1

diff --git a/checks/cloud/aws/s3/enable_logging.rego b/checks/cloud/aws/s3/enable_logging.rego
@@ -27,6 +27,8 @@
 #       good_examples: "checks/cloud/aws/s3/enable_bucket_logging.cf.go"
 package builtin.aws.s3.aws0089
 
+import data.lib.result
+
 deny[res] {
 	bucket := input.aws.s3.buckets[_]
 	not bucket.acl.value == "log-delivery-write"

diff --git a/checks/docker/add_instead_of_copy.rego b/checks/docker/add_instead_of_copy.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS005
 
 import data.lib.docker
+import data.lib.result
 
 get_add[output] {
 	add := docker.add[_]

diff --git a/checks/docker/apt_get_missing_no_install_recommends.rego b/checks/docker/apt_get_missing_no_install_recommends.rego
@@ -19,6 +19,7 @@
 package builtin.dockerfile.DS029
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	output := get_apt_get[_]

diff --git a/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego b/checks/docker/apt_get_missing_yes_flag_to_avoid_manual_input.rego
@@ -19,6 +19,7 @@
 package builtin.dockerfile.DS021
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	output := get_apt_get[_]

diff --git a/checks/docker/copy_from_references_current_from_alias.rego b/checks/docker/copy_from_references_current_from_alias.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS006
 
 import data.lib.docker
+import data.lib.result
 
 get_alias_from_copy[output] {
 	copies := docker.stage_copies[stage]

diff --git a/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego b/checks/docker/copy_with_more_than_two_arguments_not_ending_with_slash.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS011
 
 import data.lib.docker
+import data.lib.result
 
 get_copy_arg[output] {
 	copy := docker.copy[_]

diff --git a/checks/docker/latest_tag.rego b/checks/docker/latest_tag.rego
@@ -16,6 +16,7 @@
 package builtin.dockerfile.DS001
 
 import data.lib.docker
+import data.lib.result
 
 # returns element after AS
 get_alias(values) = alias {

diff --git a/checks/docker/maintainer_is_deprecated.rego b/checks/docker/maintainer_is_deprecated.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS022
 
 import data.lib.docker
+import data.lib.result
 
 get_maintainer[mntnr] {
 	mntnr := input.Stages[_].Commands[_]

diff --git a/checks/docker/missing_apk_no_cache.rego b/checks/docker/missing_apk_no_cache.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS025
 
 import data.lib.docker
+import data.lib.result
 
 get_apk[output] {
 	run := docker.run[_]

diff --git a/checks/docker/missing_dnf_clean_all.rego b/checks/docker/missing_dnf_clean_all.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS019
 
 import data.lib.docker
+import data.lib.result
 
 install_regex := `(dnf install)|(dnf in)|(dnf reinstall)|(dnf rei)|(dnf install-n)|(dnf install-na)|(dnf install-nevra)`
 

diff --git a/checks/docker/missing_microdnf_clean_all.rego b/checks/docker/missing_microdnf_clean_all.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS027
 
 import data.lib.docker
+import data.lib.result
 
 install_regex := `(microdnf install)|(microdnf reinstall)`
 

diff --git a/checks/docker/missing_zypper_clean.rego b/checks/docker/missing_zypper_clean.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS020
 
 import data.lib.docker
+import data.lib.result
 
 install_regex := `(zypper in)|(zypper remove)|(zypper rm)|(zypper source-install)|(zypper si)|(zypper patch)|(zypper (-(-)?[a-zA-Z]+ *)*install)`
 

diff --git a/checks/docker/multiple_cmd_instructions_listed.rego b/checks/docker/multiple_cmd_instructions_listed.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS016
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	cmds := docker.stage_cmd[name]

diff --git a/checks/docker/multiple_entrypoint_instructions_listed.rego b/checks/docker/multiple_entrypoint_instructions_listed.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS007
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	entrypoints := docker.stage_entrypoints[stage]

diff --git a/checks/docker/multiple_healthcheck_instructions.rego b/checks/docker/multiple_healthcheck_instructions.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS023
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	healthchecks := docker.stage_healthcheck[name]

diff --git a/checks/docker/no_healthcheck_instruction.rego b/checks/docker/no_healthcheck_instruction.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS026
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	count(docker.healthcheck) == 0

diff --git a/checks/docker/port22.rego b/checks/docker/port22.rego
@@ -16,6 +16,7 @@
 package builtin.dockerfile.DS004
 
 import data.lib.docker
+import data.lib.result
 
 # deny_list contains the port numbers which needs to be denied.
 denied_ports := ["22", "22/tcp", "22/udp"]

diff --git a/checks/docker/root_user.rego b/checks/docker/root_user.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS002
 
 import data.lib.docker
+import data.lib.result
 
 # get_user returns all the usernames from
 # the USER command.

diff --git a/checks/docker/root_user_test.rego b/checks/docker/root_user_test.rego
@@ -1,6 +1,7 @@
 package builtin.dockerfile.DS002
 
 import data.lib.docker
+import data.lib.result
 
 test_not_root_allowed {
 	r := deny with input as {"Stages": [{

diff --git a/checks/docker/run_apt_get_dist_upgrade.rego b/checks/docker/run_apt_get_dist_upgrade.rego
@@ -16,6 +16,7 @@
 package builtin.dockerfile.DS024
 
 import data.lib.docker
+import data.lib.result
 
 get_apt_get_dist_upgrade[run] {
 	run := docker.run[_]

diff --git a/checks/docker/run_command_cd_instead_of_workdir.rego b/checks/docker/run_command_cd_instead_of_workdir.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS013
 
 import data.lib.docker
+import data.lib.result
 
 get_cd[output] {
 	run := docker.run[_]

diff --git a/checks/docker/run_using_sudo.rego b/checks/docker/run_using_sudo.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS010
 
 import data.lib.docker
+import data.lib.result
 
 has_sudo(commands) {
 	parts = split(commands, "&&")

diff --git a/checks/docker/run_using_wget_and_curl.rego b/checks/docker/run_using_wget_and_curl.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS014
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	wget := get_tool_usage(docker.run[_], "wget")

diff --git a/checks/docker/same_alias_in_different_froms.rego b/checks/docker/same_alias_in_different_froms.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS012
 
 import data.lib.docker
+import data.lib.result
 
 get_duplicate_alias[output] {
 	output1 := get_aliased_name[_]

diff --git a/checks/docker/unix_ports_out_of_range.rego b/checks/docker/unix_ports_out_of_range.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS008
 
 import data.lib.docker
+import data.lib.result
 
 invalid_ports[output] {
 	expose := docker.expose[_]

diff --git a/checks/docker/update_instruction_alone.rego b/checks/docker/update_instruction_alone.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS017
 
 import data.lib.docker
+import data.lib.result
 
 deny[res] {
 	run := docker.run[_]

diff --git a/checks/docker/workdir_path_not_absolute.rego b/checks/docker/workdir_path_not_absolute.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS009
 
 import data.lib.docker
+import data.lib.result
 
 get_work_dir[output] {
 	workdir := docker.workdir[_]

diff --git a/checks/docker/yum_clean_all_missing.rego b/checks/docker/yum_clean_all_missing.rego
@@ -18,6 +18,7 @@
 package builtin.dockerfile.DS015
 
 import data.lib.docker
+import data.lib.result
 
 get_yum[output] {
 	run := docker.run[_]

diff --git a/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego b/checks/kubernetes/advanced/default_namespace_should_not_be_used.rego
@@ -27,6 +27,7 @@
 package builtin.kubernetes.KSV110
 
 import data.lib.kubernetes
+import data.lib.result
 
 default defaultNamespaceInUse = false
 

diff --git a/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego b/checks/kubernetes/advanced/optional/capabilities_no_drop_at_least_one.rego
@@ -27,6 +27,7 @@
 package builtin.kubernetes.KSV004
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 default failCapsDropAny = false

diff --git a/checks/kubernetes/advanced/optional/manages_etc_hosts.rego b/checks/kubernetes/advanced/optional/manages_etc_hosts.rego
@@ -25,6 +25,7 @@
 package builtin.kubernetes.KSV007
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 # failHostAliases is true if spec.hostAliases is set (on all controllers)

diff --git a/checks/kubernetes/advanced/optional/use_limit_range.rego b/checks/kubernetes/advanced/optional/use_limit_range.rego
@@ -18,6 +18,7 @@
 package builtin.kubernetes.KSV039
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 limitRangeConfigure {

diff --git a/checks/kubernetes/advanced/optional/use_resource_quota.rego b/checks/kubernetes/advanced/optional/use_resource_quota.rego
@@ -18,6 +18,7 @@
 package builtin.kubernetes.KSV040
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 resourceQuotaConfigure {

diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_azure_registry.rego
@@ -25,6 +25,7 @@
 package builtin.kubernetes.KSV032
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 default failTrustedAzureRegistry = false

diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_ecr_registry.rego
@@ -25,6 +25,7 @@
 package builtin.kubernetes.KSV035
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 default failTrustedECRRegistry = false

diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego b/checks/kubernetes/advanced/optional/uses_untrusted_gcr_registry.rego
@@ -25,6 +25,7 @@
 package builtin.kubernetes.KSV033
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 default failTrustedGCRRegistry = false

diff --git a/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego b/checks/kubernetes/advanced/optional/uses_untrusted_public_registries.rego
@@ -25,6 +25,7 @@
 package builtin.kubernetes.KSV034
 
 import data.lib.kubernetes
+import data.lib.result
 import data.lib.utils
 
 default failPublicRegistry = false