From 1ad66ee05a1beac088812e56a26824dd19f896b7 Mon Sep 17 00:00:00 2001
From: Eleftheria Stein-Kousathana <eleftheria@stacklok.com>
Date: Tue, 17 Dec 2024 16:37:35 +0100
Subject: [PATCH] Add ruletype for Renovate GitHub Action

Co-Authored-By: Philippe Moore <mesembria@users.noreply.github.com>
---
 .../github/renovate_github_action.test.yaml   | 13 +++++
 .../.github/workflows/not-renovate.yaml       | 17 +++++++
 .../.github/workflows/not-renovate.yaml       | 12 +++++
 rule-types/github/renovate_github_action.yaml | 50 +++++++++++++++++++
 4 files changed, 92 insertions(+)
 create mode 100644 rule-types/github/renovate_github_action.test.yaml
 create mode 100644 rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml
 create mode 100644 rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml
 create mode 100644 rule-types/github/renovate_github_action.yaml

diff --git a/rule-types/github/renovate_github_action.test.yaml b/rule-types/github/renovate_github_action.test.yaml
new file mode 100644
index 0000000..a3767f3
--- /dev/null
+++ b/rule-types/github/renovate_github_action.test.yaml
@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: github_action_with_renovate
+  - name: "Should not have Renovate enabled"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: github_action_without_renovate
\ No newline at end of file
diff --git a/rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml b/rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml
new file mode 100644
index 0000000..32b9aca
--- /dev/null
+++ b/rule-types/github/renovate_github_action.testdata/github_action_with_renovate/.github/workflows/not-renovate.yaml
@@ -0,0 +1,17 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every 15 minutes
+    - cron: '0/15 * * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v41.0.6
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          configurationFile: renovate/renovate-config.json
\ No newline at end of file
diff --git a/rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml b/rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml
new file mode 100644
index 0000000..4950d2b
--- /dev/null
+++ b/rule-types/github/renovate_github_action.testdata/github_action_without_renovate/.github/workflows/not-renovate.yaml
@@ -0,0 +1,12 @@
+name: Just Checkout
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every 15 minutes
+    - cron: '0/15 * * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
\ No newline at end of file
diff --git a/rule-types/github/renovate_github_action.yaml b/rule-types/github/renovate_github_action.yaml
new file mode 100644
index 0000000..1619972
--- /dev/null
+++ b/rule-types/github/renovate_github_action.yaml
@@ -0,0 +1,50 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: renovate_github_action
+display_name: Enable Renovate for automated dependency updates
+short_failure_message: Renovate is not configured via a GitHub action
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that Renovate is configured via a GitHub action for the repository.
+guidance: |
+  Ensure that Renovate is configured and enabled for the repository.
+
+  Renovate enables automated dependency updates for repositories.
+  It is recommended that repositories have some form of automated
+  dependency updates enabled to ensure that vulnerabilities are not
+  introduced into the codebase.
+
+  For more information, see the [GitHub Action Renovate](https://github.com/renovatebot/github-action) documentation.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        
+        import rego.v1
+
+        actions := github_workflow.ls_actions("./.github/workflows")
+
+        default message := "Renovate GitHub action is not configured"
+        default allow := false
+        allow if {
+          # check that there is a renovate action
+          "renovatebot/github-action" in actions
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}