Add Regal Rego linting to project

Hello elastic friends! 👋😃 Good to see so many familiar faces
in the list of contributors here. [Regal](https:/StyraInc/regal)
is a linter for Rego, and it's reaching a level of maturity where
I feel confident putting it to use in some serious policy libraries.

Besides linting, the CI integration helps annotate PRs with violations
at the location they happened, helping developers quickly figure out what
they need to change.

As part of integrating the linter in this repo, I went ahead and fixed a
number of issues reported. Naturally, I've made sure that all the Rego
tests pass, but if there's any change you feel was too invasive, or perhaps
changed code that some other project depend on, do let me know and I'll be
happy to revert that.

Issues fixed for the following rules:

* [not-equals-in-loop](https://docs.styra.com/regal/rules/bugs/not-equals-in-loop)
* [unconditional-assignment](https://docs.styra.com/regal/rules/style/unconditional-assignment)
* [use-in-operator](https://docs.styra.com/regal/rules/idiomatic/use-in-operator)
* [redundant-alias](https://docs.styra.com/regal/rules/imports/redundant-alias)
* [no-whitespace-comment](https://docs.styra.com/regal/rules/style/no-whitespace-comment)
* [constant-condition](https://docs.styra.com/regal/rules/bugs/constant-condition)
* [non-raw-regex-pattern](https://docs.styra.com/regal/rules/idiomatic/non-raw-regex-pattern)
* [redundant-alias](https://docs.styra.com/regal/rules/imports/redundant-alias)

Many issues, primarily related to style, have been disabled in the Regal config
for now, and I'm sure you'll want to work on having some of them enabled later.

Have a great weekend!

Signed-off-by: Anders Eknert <[email protected]>

.github/workflows/test-policies.yml

@@ -33,6 +33,14 @@ jobs:
  - name: OPA check -strict
  run: opa check --strict --bundle ./bundle
 
+ - name: Set up Regal
+ uses: StyraInc/[email protected]
+ with:
+ version: v0.10.1
+
+ - name: Lint Rego
+ run: regal lint --format github bundle
+
  update-rules-status:
  name: Update rules status
  runs-on: ubuntu-latest
@@ -75,4 +83,4 @@ jobs:
  run: poetry run python ./dev/generate_rule_metadata.py
 
  - name: Rule metadata mismatch - to fix run our pre-commit hooks
- run: git diff --exit-code
+ run: git diff --exit-code

.regal/config.yaml

@@ -0,0 +1,35 @@
+rules:
+ idiomatic:
+ use-some-for-output-vars:
+ level: ignore
+ imports:
+ prefer-package-imports:
+ level: ignore
+ style:
+ avoid-get-and-list-prefix:
+ level: ignore
+ default-over-else:
+ level: ignore
+ external-reference:
+ level: ignore
+ line-length:
+ level: ignore
+ prefer-some-in-iteration:
+ level: ignore
+ prefer-snake-case:
+ level: ignore
+ rule-length:
+ level: error
+ max-rule-length: 50
+ todo-comment:
+ level: ignore
+ use-assignment-operator:
+ level: ignore
+ testing:
+ file-missing-test-suffix:
+ level: ignore
+ print-or-trace-call:
+ # unsure if these are intentional
+ level: ignore
+ test-outside-test-package:
+ level: ignore

bundle/compliance/cis_aws/rules/cis_1_16/rule.rego

@@ -6,7 +6,7 @@ import future.keywords.if
 import future.keywords.in
 
 # Ensure IAM policies that allow full "*:*" administrative privileges are not attached
-finding = result if {
+finding := result if {
  # filter
  data_adapter.is_iam_policy
 
@@ -20,6 +20,6 @@ finding = result if {
 policy_is_permissive if {
  some statement in data_adapter.policy_document.Statement
  statement.Effect == "Allow"
- common.array_contains(common.ensure_array(statement.Action), "*")
- common.array_contains(common.ensure_array(statement.Resource), "*")
+ "*" in common.ensure_array(statement.Action)
+ "*" in common.ensure_array(statement.Resource)
 } else = false

bundle/compliance/cis_aws/rules/cis_1_16/test.rego

@@ -49,6 +49,7 @@ test_violation {
  ])
 }
 
+# regal ignore:rule-length
 test_pass {
  # No statements, no problems
  eval_pass with input as generate_input([])

bundle/compliance/cis_aws/rules/cis_3_1/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_3_1/test.rego

@@ -22,7 +22,7 @@ test_violation {
  "EventSelectors": [{"IncludeManagementEvents": true}],
  }}])
 
- # The event selector does include management events 
+ # The event selector does include management events
  eval_fail with input as rule_input([{"TrailInfo": {
  "Trail": {"IsMultiRegionTrail": true},
  "Status": {"IsLogging": true},

bundle/compliance/cis_aws/rules/cis_3_5/test.rego

@@ -8,7 +8,7 @@ import data.lib.test
 finding = audit.finding
 
 test_violation {
- # single region, single recorder config 
+ # single region, single recorder config
  eval_fail with input as rule_input(false, false)
  eval_fail with input as rule_input(true, false)
  eval_fail with input as rule_input(false, true)

bundle/compliance/cis_aws/rules/cis_4_1/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_1/test.rego

@@ -4,6 +4,7 @@ import data.cis_aws.test_data
 import data.compliance.cis_aws.data_adapter
 import data.lib.test
 
+# regal ignore:rule-length
 test_violation {
  # No items
  eval_fail with input as rule_input([])
@@ -52,7 +53,7 @@ test_violation {
  "MetricTopicBinding": {"filter_1": ["arn:aws:...sns"]},
  }])
 
- # The event selector does include management events 
+ # The event selector does include management events
  eval_fail with input as rule_input([{
  "TrailInfo": {
  "Trail": {"IsMultiRegionTrail": true},

bundle/compliance/cis_aws/rules/cis_4_10/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_11/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_12/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_13/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_14/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_15/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_16/rule.rego

@@ -6,7 +6,7 @@ import data.compliance.policy.aws_securityhub.data_adapter
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_securityhub_subType
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_2/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_3/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_4/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_5/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_6/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_7/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_8/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_aws/rules/cis_4_9/rule.rego

@@ -7,7 +7,7 @@ import data.compliance.policy.aws_cloudtrail.trail
 default rule_evaluation = false
 
 finding = result {
- # filter 
+ # filter
  data_adapter.is_multi_trails_type
 
  # set result

bundle/compliance/cis_azure/rules/cis_5_5/rule.rego

@@ -3,15 +3,11 @@ package compliance.cis_azure.rules.cis_5_5
 import data.compliance.lib.common
 import data.compliance.policy.azure.data_adapter
 
-finding = result {
- # No filter, all resources will be checked
-
- # set result
- result := common.generate_result_without_expected(
- common.calculate_result(ensure_sku_valid),
- {"Resource": data_adapter.resource},
- )
-}
+# No filter, all resources will be checked
+finding := common.generate_result_without_expected(
+ common.calculate_result(ensure_sku_valid),
+ {"Resource": data_adapter.resource},
+)
 
 ensure_sku_tier {
  data_adapter.resource.sku.tier != "Basic"

bundle/compliance/cis_eks/rules/cis_3_2_9/rule.rego

@@ -3,7 +3,7 @@ package compliance.cis_eks.rules.cis_3_2_9
 import data.compliance.policy.process.ensure_arguments_and_config as audit
 
 # Ensure that the --event-qps argument is set to 0 or a level which
-# ensures appropriate event capture 
+# ensures appropriate event capture
 default rule_evaluation = false
 
 rule_evaluation {

bundle/compliance/cis_eks/rules/cis_4_2_1/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_1
 
 import data.compliance.policy.kube_api.minimize_admission as audit
 
-finding = result {
- result := audit.finding("privileged")
-}
+finding := audit.finding("privileged")

bundle/compliance/cis_eks/rules/cis_4_2_2/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_2
 
 import data.compliance.policy.kube_api.minimize_sharing as audit
 
-finding = result {
- result := audit.finding("hostPID")
-}
+finding := audit.finding("hostPID")

bundle/compliance/cis_eks/rules/cis_4_2_3/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_3
 
 import data.compliance.policy.kube_api.minimize_sharing as audit
 
-finding = result {
- result := audit.finding("hostIPC")
-}
+finding := audit.finding("hostIPC")

bundle/compliance/cis_eks/rules/cis_4_2_4/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_4
 
 import data.compliance.policy.kube_api.minimize_sharing as audit
 
-finding = result {
- result := audit.finding("hostNetwork")
-}
+finding := audit.finding("hostNetwork")

bundle/compliance/cis_eks/rules/cis_4_2_5/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_5
 
 import data.compliance.policy.kube_api.minimize_admission as audit
 
-finding = result {
- result := audit.finding("allowPrivilegeEscalation")
-}
+finding := audit.finding("allowPrivilegeEscalation")

bundle/compliance/cis_eks/rules/cis_4_2_6/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_6
 
 import data.compliance.policy.kube_api.minimize_admission_root as audit
 
-finding = result {
- result := audit.finding
-}
+finding := audit.finding

bundle/compliance/cis_eks/rules/cis_4_2_7/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_7
 
 import data.compliance.policy.kube_api.minimize_certain_capability as audit
 
-finding = result {
- result := audit.finding
-}
+finding := audit.finding

bundle/compliance/cis_eks/rules/cis_4_2_8/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_8
 
 import data.compliance.policy.kube_api.minimize_added_capabilities as audit
 
-finding = result {
- result := audit.finding
-}
+finding := audit.finding

bundle/compliance/cis_eks/rules/cis_4_2_9/rule.rego

@@ -2,6 +2,4 @@ package compliance.cis_eks.rules.cis_4_2_9
 
 import data.compliance.policy.kube_api.minimize_assigned_capabilities as audit
 
-finding = result {
- result := audit.finding
-}
+finding := audit.finding

bundle/compliance/cis_gcp/rules/cis_1_11/test.rego

@@ -16,7 +16,7 @@ admin_role := {
 }
 
 test_violation {
- # fail when same user (user:a) is both: 
+ # fail when same user (user:a) is both:
  # roles/cloudkms.admin and roles/cloudkms.cryptoKeyEncrypter
  eval_fail with input as test_data.generate_gcp_asset(type, subtype, {}, {"bindings": [
  admin_role,