mxlint · vktrbrlv · Sep 23, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,17 @@ on:
     branches: [ main ]
 
 jobs:
+
+  Lint-Rego:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: StyraInc/setup-regal@v1
+      with:
+        version: latest
+
+    - name: Lint
+      run: regal lint --format=github ./rules
 
   Rules:
     runs-on: ubuntu-latest

diff --git a/.regal/config.yaml b/.regal/config.yaml
@@ -0,0 +1,9 @@
+rules:
+  style:
+    prefer-some-in-iteration:
+      level: ignore
+
+  idiomatic:
+    directory-package-mismatch:
+      level: ignore
+
diff --git a/rules/001_project_settings/001_0001_anonymous_disabled.rego b/rules/001_project_settings/001_0001_anonymous_disabled.rego
@@ -12,20 +12,24 @@
 #  remediation: Disable anonymous/guest access in Project Security
 #  input: Security$ProjectSecurity.yaml
 package app.mendix.project_settings.anonymous_disabled
+
 import rego.v1
+
 annotation := rego.metadata.chain()[1].annotations
 
 default allow := false
+
 allow if count(errors) == 0
 
 errors contains error if {
-    input.EnableGuestAccess == true
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            annotation.title,
-        ]
-    )
-}
+	input.EnableGuestAccess == true
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			annotation.title,
+		],
+	)
+}
diff --git a/rules/001_project_settings/001_0001_anonymous_disabled_test.rego b/rules/001_project_settings/001_0001_anonymous_disabled_test.rego
@@ -1,10 +1,13 @@
-package app.mendix.project_settings.anonymous_disabled
+package app.mendix.project_settings.anonymous_disabled_test
+
+import data.app.mendix.project_settings.anonymous_disabled
 import rego.v1
 
 # Test cases
 test_allow if {
-	allow with input as {"EnableGuestAccess": false}
+	anonymous_disabled.allow with input as {"EnableGuestAccess": false}
 }
+
 test_no_allow if {
-	not allow with input as {"EnableGuestAccess": true}
-}
+	not anonymous_disabled.allow with input as {"EnableGuestAccess": true}
+}
diff --git a/rules/001_project_settings/001_0002_demo_users_disabled.rego b/rules/001_project_settings/001_0002_demo_users_disabled.rego
@@ -1,7 +1,7 @@
 # METADATA
 # scope: package
 # title: Business apps should disable demo users
-# description: No demo users 
+# description: No demo users
 # authors:
 # - Xiwen Cheng <x@cinaq.com>
 # custom:
@@ -12,20 +12,24 @@
 #  remediation: Disable demo users in Project Security
 #  input: Security$ProjectSecurity.yaml
 package app.mendix.project_settings.demo_users_disabled
+
 import rego.v1
+
 annotation := rego.metadata.chain()[1].annotations
 
 default allow := false
+
 allow if count(errors) == 0
 
 errors contains error if {
-    input.EnableDemoUsers == true
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            annotation.title,
-        ]
-    )
-}
+	input.EnableDemoUsers == true
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			annotation.title,
+		],
+	)
+}
diff --git a/rules/001_project_settings/001_0002_demo_users_disabled_test.rego b/rules/001_project_settings/001_0002_demo_users_disabled_test.rego
@@ -1,10 +1,13 @@
-package app.mendix.project_settings.demo_users_disabled
+package app.mendix.project_settings.demo_users_disabled_test
+
+import data.app.mendix.project_settings.demo_users_disabled
 import rego.v1
 
 # Test cases
 test_allow if {
-	allow with input as {"EnableDemoUsers": false}
+	demo_users_disabled.allow with input as {"EnableDemoUsers": false}
 }
+
 test_no_allow if {
-	not allow with input as {"EnableDemoUsers": true}
-}
+	not demo_users_disabled.allow with input as {"EnableDemoUsers": true}
+}
diff --git a/rules/001_project_settings/001_0003_security_checks.rego b/rules/001_project_settings/001_0003_security_checks.rego
@@ -12,32 +12,37 @@
 #  remediation: Set Security check to production in Project Security
 #  input: Security$ProjectSecurity.yaml
 package app.mendix.project_settings.security_checks
+
 import rego.v1
+
 annotation := rego.metadata.chain()[1].annotations
 
 default allow := false
+
 allow if count(errors) == 0
 
 errors contains error if {
-    input.CheckSecurity == false
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            "Security check is not enabled in Project Security",
-        ]
-    )
+	input.CheckSecurity == false
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			"Security check is not enabled in Project Security",
+		],
+	)
 }
 
 errors contains error if {
-    input.SecurityLevel != "CheckEverything" 
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            "Security check is not set to Production in Project Security",
-        ]
-    )
-}
+	input.SecurityLevel != "CheckEverything"
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			"Security check is not set to Production in Project Security",
+		],
+	)
+}
diff --git a/rules/001_project_settings/001_0003_security_checks_test.rego b/rules/001_project_settings/001_0003_security_checks_test.rego
@@ -1,22 +1,26 @@
-package app.mendix.project_settings.security_checks
+package app.mendix.project_settings.security_checks_test
+
+import data.app.mendix.project_settings.security_checks
 import rego.v1
 
 # Test cases
 test_allow if {
-	allow with input as {
+	security_checks.allow with input as {
 		"CheckSecurity": true,
 		"SecurityLevel": "CheckEverything",
 	}
 }
+
 test_no_allow_1 if {
-	not allow with input as {
+	not security_checks.allow with input as {
 		"CheckSecurity": false,
 		"SecurityLevel": "CheckEverything",
 	}
 }
+
 test_no_allow_2 if {
-	not allow with input as {
+	not security_checks.allow with input as {
 		"CheckSecurity": true,
 		"SecurityLevel": "unknown",
 	}
-}
+}
diff --git a/rules/001_project_settings/001_0004_strong_password.rego b/rules/001_project_settings/001_0004_strong_password.rego
@@ -13,61 +13,68 @@
 #  remediation: Ensure minimum password length of at least 8 characters and must use all character classes.
 #  input: Security$ProjectSecurity.yaml
 package app.mendix.project_settings.strong_password
+
 import rego.v1
+
 annotation := rego.metadata.chain()[1].annotations
 
 default allow := false
+
 allow if count(errors) == 0
 
 min_password_length := 8
 
 errors contains error if {
-    my_password_length := input.PasswordPolicySettings.MinimumLength
-    my_password_length < min_password_length
-    error := sprintf("[%v, %v, %v] Password length of %v is not enough. It must be at least %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            my_password_length,
-            min_password_length,
-        ]
-    )
+	my_password_length := input.PasswordPolicySettings.MinimumLength
+	my_password_length < min_password_length
+	error := sprintf(
+		"[%v, %v, %v] Password length of %v is not enough. It must be at least %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			my_password_length,
+			min_password_length,
+		],
+	)
 }
 
 errors contains error if {
-    input.PasswordPolicySettings.RequireDigit == false
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            "Password must require digits",
-        ]
-    )
+	input.PasswordPolicySettings.RequireDigit == false
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			"Password must require digits",
+		],
+	)
 }
 
 errors contains error if {
-    input.PasswordPolicySettings.RequireMixedCase == false
-    input.PasswordPolicySettings.RequireSymbol == false
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            "Password must require mixed case characters",
-        ]
-    )
+	input.PasswordPolicySettings.RequireMixedCase == false
+	input.PasswordPolicySettings.RequireSymbol == false
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			"Password must require mixed case characters",
+		],
+	)
 }
 
 errors contains error if {
-    input.PasswordPolicySettings.RequireSymbol == false
-    error := sprintf("[%v, %v, %v] %v",
-        [
-            annotation.custom.severity,
-            annotation.custom.category,
-            annotation.custom.rulenumber,
-            "Password must require symbols",
-        ]
-    )
-}
+	input.PasswordPolicySettings.RequireSymbol == false
+	error := sprintf(
+		"[%v, %v, %v] %v",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			"Password must require symbols",
+		],
+	)
+}