Add evaluation failure message to rego rules

rule-types/common/license.yaml

@@ -59,16 +59,23 @@ def:
         import future.keywords.if
 
         default allow := false
+        fileStr := file.read(input.profile.license_filename)
 
         allow if {
             # Read the license file and check if it contains the license type
-            fileStr := file.read(input.profile.license_filename)
             contains(fileStr, input.profile.license_type)
         } else if {
             # Check if the file exists and the license type is left blank
             file.exists(input.profile.license_filename)
             input.profile.license_type == ""
         }
+        
+        message := sprintf("License file %v does not exist", [input.profile.license_filename]) if {
+            not file.exists(input.profile.license_filename)
+        } else := sprintf("License file %v does not match the expected license type %v", [input.profile.license_filename, input.profile.license_type]) if {
+            not contains(fileStr, input.profile.license_type)
+        }
+
   # Defines the configuration for alerting on the rule
   alert:
     type: security_advisory

rule-types/github/actions_check_default_permissions.yaml

@@ -69,6 +69,19 @@ def:
             count(job.permissions) >= 0
           }
         }
+        
+        # Get the list of workflows that do not have permissions and create the error message
+        missing_permissions_workflows = [workflow_name | 
+          filename := workflows[_]  # Iterate over each workflow filename
+          workflowstr := file.read(filename)
+          workflow := yaml.unmarshal(workflowstr) 
+
+          not permissions_ok(workflow)
+          workflow_name = workflow.name 
+        ]
+
+        # Construct the final message
+        message := sprintf("Workflows %s do not explicitly set their permissions", [concat(",", missing_permissions_workflows)])
   # We don't have a remediation method in place yet.
 
   # Defines the configuration for alerting on the rule

rule-types/github/artifact_attestation_slsa.yaml

@@ -91,6 +91,7 @@ def:
 
         default allow := false
         default skip := false
+        default message := "Cannot verify SLSA provenance"
         
         default workflow_ref := "refs/heads/main"
         workflow_ref := input.profile.workflow_ref

rule-types/github/branch_protection_enabled.yaml

@@ -60,6 +60,7 @@ def:
         import future.keywords.if
         
         default allow := false
+        default message := "No branch protection rule is set"
         
         allow if {
           input.ingested.url != ""

rule-types/github/branch_protection_require_pull_requests.yaml

@@ -70,6 +70,7 @@ def:
         import future.keywords.if
         
         default allow := false
+        default message := "Pull requests are not required"
         
         allow if {
           input.ingested.required_pull_request_reviews.url != ""

rule-types/github/codeql_enabled.yaml

@@ -59,6 +59,7 @@ def:
         package minder
 
         default allow := false
+        default message := "CodeQL is not enabled"
 
         allow {
             # List all workflows

rule-types/github/dependabot_configured.yaml

@@ -65,6 +65,7 @@ def:
         package minder
 
         default allow := false
+        default message := "Dependabot is not configured"
 
         # Set allow if we don't need to skip and the rule evaluation passes
         allow {

rule-types/github/scorecard_enabled.yaml

@@ -69,6 +69,7 @@ def:
         package minder
 
         default allow := false
+        default message := "Scorecard Action is not configured for any workflow"
 
         allow {
             # List all workflows

rule-types/github/secret_push_protection.yaml

@@ -61,6 +61,7 @@ def:
 
         default allow := false
         default skip := false
+        default message := "Secret push protection is disabled"
 
         allow if {
           input.ingested.security_and_analysis.secret_scanning_push_protection.status == "enabled"

rule-types/github/secret_scanning.yaml

@@ -60,6 +60,7 @@ def:
 
         default allow := false
         default skip := false
+        default message := "Secret scanning is disabled"
 
         allow if {
           input.ingested.security_and_analysis.secret_scanning.status == "enabled"

rule-types/github/security_insights.yaml

@@ -55,6 +55,8 @@ def:
         import rego.v1
 
         default allow := false
+        default message := "Security Insights file is missing"
+        
         allow if {
           file.exists(input.profile.filename)
         }

rule-types/github/security_insights_dep_policy.yaml

@@ -59,6 +59,7 @@ def:
         import rego.v1
 
         default allow := false
+        default message := "Dependency policy is missing from the Security Insights file"
         
         allow if {  
           file.exists(input.profile.filename)

rule-types/github/security_policy.yaml

@@ -40,6 +40,8 @@ def:
         import rego.v1
 
         default allow := false
+        default message := "Security policy file is missing"
+        
         allow if {
           file.exists(input.profile.filename)
         }

rule-types/github/trivy_action_enabled.yaml

@@ -54,6 +54,7 @@ def:
         package minder
 
         default allow := false
+        default message := "Trivy action is not enabled"
 
         allow {
             # List all workflows

rule-types/gitlab/gitlab_dependency_scanning_enabled.yaml

@@ -40,6 +40,7 @@ def:
         package minder
 
         default allow := false
+        default message := "GitLab Dependency Scanning is not enabled"
 
         allow {
           # Read the .gitlab-ci.yml file

rule-types/gitlab/gitlab_protect_branch.yaml

@@ -37,6 +37,7 @@ def:
         package minder
 
         default allow := false
+        default message := "Branch is not set as protected"
 
         allow {
           # Check that there is at least one protected branch

rule-types/gitlab/gitlab_require_merge_requests.yaml

@@ -39,6 +39,7 @@ def:
         package minder
 
         default allow := false
+        default message := "Merge requests are not required"
 
         allow {
           # Check that there is at least one protected branch