-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add rule to require pre-commit to be configured in the repository (#242)
Co-authored-by: Giuseppe Scuglia <[email protected]>
- Loading branch information
Showing
4 changed files
with
89 additions
and
0 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
rule-types/common/require_pre_commit_to_be_configured.test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| tests: | ||
| - name: "Should have at least one pre-commit hook configured" | ||
| def: {} | ||
| params: {} | ||
| expect: "pass" | ||
| git: | ||
| repo_base: correct | ||
| - name: "Should fail pre-commit is not configured with at least one hook" | ||
| def: {} | ||
| params: {} | ||
| expect: "fail" | ||
| git: | ||
| repo_base: misconfigured | ||
| - name: "Should fail is pre-commit is not configured at all" | ||
| def: {} | ||
| params: {} | ||
| expect: "fail" | ||
| git: | ||
| repo_base: empty |
13 changes: 13 additions & 0 deletions
13
...types/common/require_pre_commit_to_be_configured.testdata/correct/.pre-commit-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| repos: | ||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v3.2.0 | ||
| hooks: | ||
| - id: trailing-whitespace | ||
| - id: end-of-file-fixer | ||
| - id: check-yaml | ||
| - id: check-added-large-files | ||
|
|
||
| - repo: https://github.com/tenable/terrascan | ||
| rev: 'v1.28.0' | ||
| hooks: | ||
| - id: terraform-pre-commit |
4 changes: 4 additions & 0 deletions
4
...common/require_pre_commit_to_be_configured.testdata/misconfigured/.pre-commit-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| repos: | ||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v3.2.0 | ||
| hooks: [] |
53 changes: 53 additions & 0 deletions
53
rule-types/common/require_pre_commit_to_be_configured.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| version: v1 | ||
| release_phase: alpha | ||
| type: rule-type | ||
| name: require_pre_commit_to_be_configured | ||
| display_name: Require pre-commit to be installed | ||
| short_failure_message: pre-commit configuration file missing | ||
| severity: | ||
| value: medium | ||
| context: {} | ||
| description: | | ||
| Verifies that `pre-commit` is installed in the repository | ||
| guidance: | | ||
| Ensure that (pre-commit)[https://pre-commit.com/] is configured in a repository. | ||
| def: | ||
| in_entity: repository | ||
| rule_schema: | ||
| type: object | ||
| properties: {} | ||
| ingest: | ||
| type: git | ||
| git: {} | ||
| eval: | ||
| type: rego | ||
| rego: | ||
| type: deny-by-default | ||
| def: | | ||
| package minder | ||
| import future.keywords.if | ||
| import future.keywords.every | ||
| default message := "pre-commit configuration file missing" | ||
| default allow := false | ||
| # pre-commit hook | ||
| precommit := file.read(".pre-commit-config.yaml") | ||
| parsed_data := parse_yaml(precommit) | ||
| allow if { | ||
| some repo_id, hook_id | ||
| repo_data := parsed_data.repos[repo_id] | ||
| hooks = repo_data["hooks"] | ||
| hooks[hook_id] | ||
| } | ||
| message := "" if allow | ||
| alert: | ||
| type: security_advisory | ||
| security_advisory: {} |