Merge pull request #7 from phylum-dev/matt/regal

configure policy linting

.github/workflows/lint.yml

@@ -0,0 +1,29 @@
+name: Lint policies
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup OPA
+        uses: open-policy-agent/[email protected]
+        with:
+          version: 0.61
+
+      - name: Setup Regal
+        uses: StyraInc/[email protected]
+        with:
+          version: 0.21
+
+      - name: OPA Check
+        if: ${{ !cancelled() }}
+        run: opa check --strict --max-errors 0 .
+
+      - name: Regal Lint
+        if: ${{ !cancelled() }}
+        run: regal lint --format github .

.regal/config.yaml

@@ -0,0 +1,16 @@
+capabilities:
+  from:
+    engine: opa
+    version: v0.61.0
+  minus:
+    builtins:
+      - name: http.send
+rules:
+  idiomatic:
+    no-defined-entrypoint:
+      level: ignore
+  imports:
+    unresolved-import:
+      level: error
+      except-imports:
+        - data.phylum.*

confirmed_malicious.rego

@@ -1,33 +1,27 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if the author is known malicious
-issue contains "Author has published malicious packages" if {
-   data.issue.tag == "CA0001"
-}
-
-# Returns a violation if the package contains verified malware
-issue contains "This package contains malware" if {
-   data.issue.tag == "CM0038"
-}
-
-# Returns a violation if the package contains a known-bad compiled binary
-issue contains "Contains known-bad compiled binary" if {
-   data.issue.tag == "CM0037"
-}
-
-# Returns a violation if the package depends on a known malicious package
-issue contains "This package depends on malware" if {
-   data.issue.tag == "CM0039"
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if the author is known malicious
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Author has published malicious packages" if {
+	data.issue.tag == "CA0001"
+}
+
+# Returns a violation if the package contains verified malware
+issue contains "This package contains malware" if {
+	data.issue.tag == "CM0038"
+}
+
+# Returns a violation if the package contains a known-bad compiled binary
+issue contains "Contains known-bad compiled binary" if {
+	data.issue.tag == "CM0037"
+}
+
+# Returns a violation if the package depends on a known malicious package
+issue contains "This package depends on malware" if {
+	data.issue.tag == "CM0039"
+}

data_exfiltration.rego

@@ -1,22 +1,16 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if the package contains common data exfiltration techniques
-issue contains "Package contains environment variable enumeration" if {
-   data.issue.tag == "HM0025"
-}
-
-issue contains "Package contains webhook exfiltration" if {
-   data.issue.tag == "HM0036"
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if the package contains common data exfiltration techniques
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Package contains environment variable enumeration" if {
+	data.issue.tag == "HM0025"
+}
+
+issue contains "Package contains webhook exfiltration" if {
+	data.issue.tag == "HM0036"
+}

default.rego

@@ -1,8 +1,7 @@
 package policy
 
 import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
+import rego.v1
 
 issue contains "risk level cannot exceed medium" if {
 	data.issue.severity > level.MEDIUM

dependency_confusion.rego

@@ -1,18 +1,12 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if the package appears to be a dependency confusion
-issue contains "Package appears to be a dependency confusion" if {
-   data.issue.tag == "HM0018"
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if the package appears to be a dependency confusion
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Package appears to be a dependency confusion" if {
+	data.issue.tag == "HM0018"
+}

install_code.rego

@@ -1,18 +1,12 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if there is code execution on package install
-issue contains "Package contains code execution on install" if {
-   data.issue.tag in {"IM0042", "IM0043", "IM0044"}
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if there is code execution on package install
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Package contains code execution on install" if {
+	data.issue.tag in {"IM0042", "IM0043", "IM0044"}
+}

install_code_suspicious.rego

@@ -1,23 +1,16 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if there is suspicious code execution on package install
-
-issue contains "Package contains suspicious code execution on install" if {
-   data.issue.tag == "CM0007"
-}
-
-issue contains "Package contains suspicious code execution on install" if {
-	endswith(data.issue.tag, "M0031")
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if there is suspicious code execution on package install
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Package contains suspicious code execution on install" if {
+	data.issue.tag == "CM0007"
+}
+
+issue contains "Package contains suspicious code execution on install" if {
+	endswith(data.issue.tag, "M0031")
+}

license_agpl.rego

@@ -1,25 +1,20 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-is_agpl {
-regex.match("(?i)\\bAffero\\b", data.dependency.license)
-}
-
-is_agpl {
-regex.match("(?i)\\bAGPL\\b", data.dependency.license)
-}
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if the package license metadata indicates "Affero" or "AGPL"
-dependency contains "AGPL licensed software is not allowed" if {
-        is_agpl
-}
+package policy
+
+import rego.v1
+
+is_agpl if {
+	regex.match(`(?i)\bAffero\b`, data.dependency.license)
+}
+
+is_agpl if {
+	regex.match(`(?i)\bAGPL\b`, data.dependency.license)
+}
+
+# Returns a violation if the package license metadata indicates "Affero" or "AGPL"
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+dependency contains "AGPL licensed software is not allowed" if {
+	is_agpl
+}

license_mismatch.rego

@@ -1,18 +1,12 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if there is a license mismatch between metadata and files
-issue contains "License mismatch" if {
-   data.issue.tag == "IL0022"
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if there is a license mismatch between metadata and files
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "License mismatch" if {
+	data.issue.tag == "IL0022"
+}

minimal_code.rego

@@ -1,18 +1,12 @@
-package policy
-
-import data.phylum.domain
-import data.phylum.level
-import future.keywords.contains
-import future.keywords.if
-import future.keywords.in
-
-
-# METADATA
-# scope: rule
-# schemas:
-#   - data.issue: schema.issue
-
-# Returns a violation if the package contains minimal code and is unlikley worth the security risk
-issue contains "Package contains minimal code" if {
-   data.issue.tag == "IE0027"
-}
+package policy
+
+import rego.v1
+
+# Returns a violation if the package contains minimal code and is unlikley worth the security risk
+# METADATA
+# scope: rule
+# schemas:
+#   - data.issue: schema.issue
+issue contains "Package contains minimal code" if {
+	data.issue.tag == "IE0027"
+}