Add a ruletype that checks for the presence of a file header #239
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| tests: | ||
| - name: "Specific file has a header" | ||
| def: | ||
| filter: LICENSE | ||
| header: | | ||
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| params: {} | ||
| expect: "pass" | ||
| git: | ||
| repo_base: test_1 | ||
| - name: "Specific file doesn't have a header" | ||
| def: | ||
| filter: LICENSE | ||
| header: | | ||
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| params: {} | ||
| expect: "fail" | ||
| git: | ||
| repo_base: test_2 | ||
| - name: "All go files have a header" | ||
| def: | ||
| filter: LICENSE | ||
| header: | | ||
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| params: {} | ||
| expect: "pass" | ||
| filter: "^.*\\.go$" | ||
| git: | ||
| repo_base: test_1 | ||
| - name: "Not all go files have a header" | ||
| def: | ||
| filter: LICENSE | ||
| header: | | ||
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
| params: {} | ||
| expect: "fail" | ||
| filter: "^.*\\.go$" | ||
| git: | ||
| repo_base: test_2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| # SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| Test file for license header |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| // SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| package test_1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| // SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| package test_1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| # Another header | ||
|
|
||
| Test file for license header |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| // SPDX-FileCopyrightText: Copyright 2023 The Minder Authors | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| package test_1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| package test_1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| --- | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: file_header | ||
| display_name: Checks for the presence of a header in a file | ||
| short_failure_message: File does not contain the expected header | ||
| severity: | ||
| value: low | ||
| context: {} | ||
| description: | | ||
| Checks for the presence of a header in a file. | ||
| guidance: | | ||
| Check if the file contains the expected header. | ||
|
|
||
| This rule is useful for enforcing the presence of a header in a file, such as license headers, code of conduct, | ||
| or other important information that should be present in the beginning of the file. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: | ||
| type: object | ||
| properties: | ||
| filter: | ||
| type: string | ||
| description: | | ||
| The filter is a regular expression that is used to filter the files that should be checked for the header. | ||
|
|
||
| For example, if you want to check all files with the extension `.yml`, you can use the following regex `^.*\.yml$`. | ||
|
|
||
| If you want to check a specific file, you can use the file name as the filter. For example, `main.go`. | ||
| header: | ||
| type: string | ||
| description: | | ||
| The header to check for in the file. | ||
|
|
||
| This is the expected content that should be present in the beginning of the file. | ||
| required: | ||
| - filter | ||
| - header | ||
| ingest: | ||
| type: git | ||
| git: | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: constraints | ||
| def: | | ||
| package minder | ||
|
|
||
| import future.keywords.in | ||
| import future.keywords.if | ||
|
|
||
| violations[{"msg": msg}] if { | ||
| # Walk all files in the repo | ||
| files_in_repo := file.walk(".") | ||
|
|
||
| some current_file in files_in_repo | ||
|
|
||
| # Filter files based on the regex in filter | ||
| regex.match(input.profile.filter, current_file) | ||
|
|
||
| # Read the file | ||
| file_content := file.read(current_file) | ||
|
|
||
| # Check if the file contains the expected header | ||
| not startswith(file_content, input.profile.header) | ||
|
|
||
| msg := sprintf("File does not contain the expected header: %s", [current_file]) | ||
| } | ||
| # Defines the configuration for alerting on the rule | ||
| alert: | ||
| type: security_advisory | ||
| security_advisory: {} | ||
|
Comment on lines
+70
to
+73
There was a problem hiding this comment. I don't think you want a security advisory for this. It does seem worthwhile to think about what a remediation rule for this would look like, in the context of broader remediations, but this example seems a bit too limited on its own to recommend a remediation. |
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to support date-matching here, or keep this exact match?