v0.11.0

Regal goes to v0.11.0! This release constitutes a milestone for the project, as we now ship with 50 built-in rules in total!

Regal now provides a GitHub Action for easily integrating Regal into your CI pipeline. Thanks @charlieegan3 for your work on this!

The v0.11.0 release contains six new rules, and a number of improvements and fixes.

New rule: import-after-rule

Category: imports

While certainly not common, Rego allows including imports after rule declarations, i.e.

allow if admin in input.user.roles

import data.roles.admin

The new import-after-rule rule does not allow that.

For more information, see the docs on import-after-rule.

New rule: import-shadows-builtin

Category: imports

The new import-shadows-builtin rule prevents importing a package that shadows a built-in function, or the "namespace" of a built-in function, like http in http.send:

# Forbidden, as it prevents calling `http.send` in this file
import data.features.http

For more information, see the docs on import-shadows-builtin.

New rule: prefer-set-or-object-rule

Category: idiomatic

Prefer set or object-generating rules over using top-level comprehensions.

# Avoid
deny := {reason |
    # ...
}

# Prefer
deny contains reason {
    # ...
}

For more information, see the docs on prefer-set-or-object-rule.

New rule: equals-pattern-matching

Category: idiomatic

Prefer using pattern matching in function arguments over equals comparison in head or body.

# Avoid
to_string(n) := "one" if n == 1
to_string(n) := "two" if n == 2

# Prefer
to_string(1) := "one"
to_string(2) := "two"

For more information, see the docs on equals-pattern-matching.

New rule: zero-arity-function

Category: bugs

Zero arity functions, or functions with no arguments, are problematic in Rego and should be replaced by rules.

# Avoid
first_user() := data.users[0]

# Prefer
first_user := data.users[0]

For more information, see the docs on zero-arity-function.

New rule: prefer-value-in-head

Category: custom

This is an opinonated rule and not a general recommendation. As such it is placed in the custom category and disabled by default.
Still, this is a coding style some teams or organizations may want to standardize on.

# Avoid
deny contains message if {
    # ... conditions
    message := "anonymous user not allowed"
}

# Prefer
deny contains "anonymous user not allowed" if {
    # ... conditions
}

For more information, see the docs on prefer-value-in-head.

Other improvements

• Windows support now on par with Mac and Linux, and the project is now built and tested on Windows as part of our CI pipeline.
• The unconditional-assignment rule now also considers partial, or multi-value, rules.
• The no-whitespace-comment rule now allows configuring exceptions that should be allowed.
• A --pprof flag has been added to the lint and test commands for profiling Regal. Thanks @srenatus!

Bugs fixed

• The use-assignment-operator rule would previously not report = in else. Now it does. Thanks @ThomasKingoTM for reporting that!
• Fix false positive in the constant-condition rule on functions without a body.
• Similarly, fix false positive in constant-condition rule flagging multi-value rules without a body.
• Fix false positive reported in top-level-iteration.

Community

• A testimonials section was added to the README. Thanks @dkorolev, @iamleot and @mcguiresm!
• A PR template was added to help new contributors submit a PR.

Changelog

• 370bd45: Add testimonials to the README (#378) (@anderseknert)
• 11d0ee8: Add PR template (#377) (@anderseknert)
• 4162b4d: Fixes to run on Windows (#382) (@anderseknert)
• 1b474fc: Update .gitattributes to use eol=lf (@anderseknert)
• 1b9de24: Fix issues blocking Windows usage (#383) (@anderseknert)
• e71e3bf: Windows runner test (#380) (@anderseknert)
• cc11a6c: Check for assignment operator in else assignment (#386) (@anderseknert)
• cb19b5b: Rule: import-after-rule (#387) (@anderseknert)
• 2b80d7a: Update Roadmap — GitHub Action done! (@anderseknert)
• f93bb50: cicd: Use go.mod as source for Go version (#388) (@anderseknert)
• 3cc88e7: unconditional-assignment: extend to include multi-value rules (#390) (@anderseknert)
• 9d8a642: Fix heading for dubious-print-sprintf (#392) (@anderseknert)
• 1521653: cmd: add --pprof for lint and test (#395) (@srenatus)
• 63371e2: deps: remove prometheus/client_golang replacement for wasip1 (#391) (@srenatus)
• 00b9c2e: no-whitespace-comment: add except-pattern config attribute (#389) (@anderseknert)
• 674674b: Fix constant-condition flagging multi-value rules without body (#400) (@anderseknert)
• 1f199d8: Fix false positive in top-level-iteration (#402) (@anderseknert)
• 716f77d: Fix false positive on function without body in constant-condition (#404) (@anderseknert)
• cf3e8a4: Rule: import-shadows-builtin (#407) (@anderseknert)
• 01305e0: Docs: consistent casing of "OPA Docs" (#410) (@anderseknert)
• 75dbeed: Rule: prefer-set-or-object-rule (#409) (@anderseknert)
• 668a952: Rule: equals-pattern-matching (#411) (@anderseknert)
• 67e8b33: Rule: prefer-value-in-head (#412) (@anderseknert)
• 2dded6a: Rule: zero-arity-function (#413) (@anderseknert)

v0.10.1

This is a minor release to support the new setup-regal GitHub Action. This release improves the --format github output so that it no longer only reports violations in the form of annotations in the PR, but also prints the --format pretty table to the actions console, allowing you to quickly identify issues in either of the views.

As an added bonus, this release also features new documentation for the aggregate rule rule type introduced in v0.10.0, so that custom rule authors now may try them out.

Changelog

• 97e473d: Cancel concurrent CI execution on pushes to same PR (#368) (@anderseknert)
• 0099c4b: Use Must test helper, courtesy of @srenatus (#364) (@anderseknert)
• 5df122e: Some small tweaks (#363) (@anderseknert)
• 7f2e55e: Aggregate rules documentation (#365) (@anderseknert)
• 2167ace: Add run_quiet to rq build script (#366) (@anderseknert)
• c572685: Dogfood setup-regal action (#372) (@charlieegan3)
• 5cba5d0: [docs] Add note to README about setup-regal (#373) (@charlieegan3)
• fa4712f: Add capabilities.json and use for opa check --strict (#374) (@anderseknert)
• 0fe50d1: Let --format github log pretty output to console (#371) (@anderseknert)

v0.10.0

This release brings a new type of linter rule to Regal — aggregate rules. v0.10.0 also brings a number of new rules, new features, performance improvements and bug fixes.

Aggregate rules

Aggregate rules evaluate input not just from a single Rego policy at a time, but collect, or aggregate, data from all files included for linting. A second evaluation step is then performed where the data collected is used to determine if a linter rule violation occured. Aggregate rules help solve issues at the level of a project rather than individual files, and could for example be used to ensure that at least one package is annotated with an authors attribute, or that no import point to a package that doesn't exist in the repo. Since aggregate rules require input from several files, they are disabled by default when linting a single policy file.

Huge thanks to @sesponda (Atlassian) who helped both in the design and implementation of this feature!

While the feature is considered stable, there are still some things to work out for the next release in terms of configuration options and documentation for custom aggregate rules. Join us in the #regal channel if you'd like to be an early adopter!

New rule: prefer-package-imports

Category: imports

The first built-in rule to make use of the new aggregate system is prefer-package-imports. The Rego Style Guide has long since advocated the use of package level imports over importing rules and functions directly, and now there is a Regal rule to enforce that!

For more information, see the docs on prefer-package-imports.

New rule: no-defined-entrypoint

Category: idiomatic

The next aggregate rule to ship with Regal is no-defined-entrypoint. Annotating at least one package or rule as an entrypoint is a good practice for documenting your project. And not only that — using an entrypoint annotation unlocks several programmatic capabilities for compilation to other formats, like Wasm, or IR.

For more information, see the docs on no-defined-entrypoint.

New rule: default-over-else

Category: style

The next rule is not an aggregate one, but no less useful! In the style category, the default-over-else rule will flag "fallback else" conditions in favor of default assignment.

Avoid

package policy

import future.keywords.if

permisisions := ["read", "write"] if {
    input.user == "admin"
} else := ["read"]

Prefer

package policy

import future.keywords.if

default permisisions := ["read"]

permisisions := ["read", "write"] if {
    input.user == "admin"
}

A configuration option allows setting default functions (recently introduced in OPA) as a preference as well.

For more information, see the docs on default-over-else.

New rule: rule-length

Category: style

Thanks to some improvements to the OPA AST contributed upstream by @charlieegan3, one class of rules has been made much simpler to implement. One such rule is rule-length, which similarly to file-length flags when too much is going on in a single location, and in this case a rule or a function body. The default limit is 30 lines, but this can be changed in the configuration to your liking.

For more information, see the docs on rule-length.

Feature: regal lint --enable-print

The regal lint command now accepts an --enable-print flag to simply allow print statements without printing other debugging information.

Feature: regal lint --profile

Similarly to the profiling capabilities in OPA, Regal now provides a --profile flag to help collect and report profiling data, helping policy authors and Regal developers to see where most of the time is spent in evaluation.

Experimental: Wasm/Wasi compilation

Friend of Regal @srenatus has contributed some experimental code to compile Regal to Wasm/Wasi. See the development docs if you're curious to try it out!

Performance improvements

• Regal now uses a custom algorithm to filter out files ignored, up to 30X faster than previously.
• OPA dependency bumped to point to main which includes performance improvements to walk and arithmetic operations.

Other improvements

• The regal new rule command now adds both a documentation page and an entry in the README table. Thanks @Ronnie-personal for contributing!
• A non-breakable-word-threshold option has been added to the line-length rule, which allows tolerating single words that exceed the line length if they can't be broken up into several parts, like URLs. Thanks @iamleot for requesting this!
• The top-level-iteration incorrectly identified constants and other parameters as iteration. This was identified and fixed by @zregvart. Thanks!

Great to see so many old and new faces in the list of contributors. Thank you all!

Changelog

• 82ebbe6: File filtering improvements (#332) (@anderseknert)
• bbdceb7: Add --enable-print flag to regal lint (#337) (@anderseknert)
• 0098ff7: Implement Aggregates Collection and Usage (#323) (@sesponda)
• 938172a: Allow parameters and constants in top level rule (#347) (@zregvart)
• 9063cf0: build: add kludges to build for WASI (#346) (@srenatus)
• 590ce2e: Rule: prefer-package-imports (#349) (@anderseknert)
• 41e127d: Add non-breakable-word-threshold option to line-length rule (#350) (@anderseknert)
• 716a574: Bumping opa to v0.57.0 (#352) (@johanfylling)
• de17845: Rule: rule-length (#354) (@anderseknert)
• 57d77d1: Remove code that set the ref head env var (#353) (@anderseknert)
• c937e34: Remove rule.head.name usage (#357) (@anderseknert)
• 52c57d3: Rule: default-over-else (#360) (@anderseknert)
• f1ff4fb: Rule: no-defined-entrypoint (#355) (@anderseknert)
• 58bb7b8: Add config and README entry with regal new rule command (#304) (@Ronnie-personal)
• 28a51f7: Add --profile option to regal lint (#361) (@anderseknert)
• e4fb086: Bump OPA version to current main (#362) (@anderseknert)

v0.9.0

This release brings three new rules to Regal, a new Rego-based build system, and improvements to the Go API. Plus a number of improvements, features and bugfixes.

The v0.9.0 release also coincides with some exciting news from our community — users of the Rego Playground now experience Regal integrated in the tool, and have linter violations reported directly in the UI!

New rule: dubious-print-sprintf

Category: testing

This new rule will flag the use of print together with sprintf in it's argument list. The print function takes any number of arguments as it is, and using sprintf negates the benefits of the print functions special handling of undefined values.

For more information, see the docs on dubious-print-sprintf.

Thank you @Ronnie-personal for contributing this rule! 👏

New rule: forbidden-function-call

Category: custom

In the custom category, the new forbidden-function-call rule will allow you to configure a list of built-in functions that should be flagged by Regal if encountered. This could for example be http.send calls, or JWT decoding using HMAC rather than assymetric crypto.

For more information, see the docs on forbidden-function-call.

New rule: chained-rule-body

Category: style

The new chained-rule-body rule will have Regal flag rules where the body is "chained", as this style isn't recommended any more.

For more information, see the docs on chained-rule-body.

Regal in the Rego Playground!

Regal is now integrated in the Rego Playground, and provides users with information on linter violations as they work on their policies!

Thanks @charlieegan3 for your work on this!

Go API (experimental)

While integrations using the Go API is still not recommended, several steps were taken in this release in order to move it closer to a stable state. This work was done in order to get Regal integrated into the Rego Playground.

Documentation

A new page on the Regal's architecture has been added to the docs, which should be helpful for people looking to contribute to Regal, or those curious to learn more about how Regal works.

Using Rego to build Rego that lints Rego!

Regal now uses Rego — via @charlesdaniels eminent rq tool — as a "build tool" of sorts. See this LinkedIn post for more details, and a link to our new build definition file. The development docs have been updated with instructions for using this tool.

While we're on that topic — the new do.rq pr task will run all the formatting, testing and linter steps required to prepare a PR. Make sure to use it when contributing!

Thanks to @srenatus for leading the way on this one!

Other improvements and fixes

• Custom configuration for a rule is no longer required to provide a level attribute. If not provided, the level will be inherited from the default configuration for that rule.
• The walk built-in function is now by default excepted by the function-arg-return rule. See the rule documentation for details.
• The regal lint command now accepts a --metrics flag, which will provide helpful information on where Regal spends most of the time evaluating a project.

Credits

Thank you all who contributed to this release! Special thanks goes out to first time contributors:

• @Ronnie-personal
• @ThomasKingoTM (Bankdata)

You rock! 👏

Changelog

• b1ae6f8: test: allow running "regal" on its own bundle (#286) (@srenatus)
• 2e16be6: Change tap -> repository (@anderseknert)
• 4e48367: Fix: Scaffolding now properly populates templatesge nam… (#277) (@ThomasKingoTM)
• 5d13fbb: Bump actions/checkout from 3 to 4 (#288) (@dependabot[bot])
• 30a2210: Allow not providing level in user configuration (#289) (@anderseknert)
• 2d0bb3d: Add regal test bundle recommendation (@anderseknert)
• 5cc95a6: Check for presence of binary before running e2e tests (#296) (@anderseknert)
• 44da56e: Except walk from function-arg-return (#299) (@anderseknert)
• 4f2d49e: Ensure unused-return-value isn't triggered on function arg return (@anderseknert)
• d65beef: Bump tibdex/github-app-token from 1 to 2 (#308) (@dependabot[bot])
• c6ea324: Add documentation on architecture (#309) (@anderseknert)
• 3045787: Sort table by category and rule name (#310) (@anderseknert)
• d8aff71: Rule: chained-rule-body (#295) (@anderseknert)
• a8403a8: Expose rules and parser opts for use as library (#307) (@charlieegan3)
• 9cf0889: Add note about prod use of Go API (#311) (@charlieegan3)
• c9ed881: Dubious use of print and sprintf (#291) (@Ronnie-personal)
• 0178af9: Add --compare-to-readme flag to regal table (#312) (@anderseknert)
• 1da57a8: Add documentation for dubious-print-sprintf (#314) (@anderseknert)
• bce1cfe: Update documentation resources index (#313) (@anderseknert)
• 8196cc5: Bump goreleaser/goreleaser-action from 4 to 5 (#315) (@dependabot[bot])
• d3d9986: Store list of refs for use by rules (#316) (@anderseknert)
• 88ca661: build: use rq (#319) (@srenatus)
• be6e99d: Rule: forbidden-function-call (custom) (#318) (@anderseknert)
• d3355e1: Add rq pr task to help prepare for PRs (#320) (@anderseknert)
• 2aa25e7: Use Open-Policy-Agent as linguist language (#321) (@anderseknert)
• bb83ebe: build/do.rq: build binary for tasks list if needed (#324) (@srenatus)
• 3011243: do.rq: don't depend on 'ls' (#325) (@srenatus)
• 995ca6a: Metrics (#333) (@anderseknert)
• 83f22ee: Unmarshalling: Remove extra attributes "level" and "ignore" (#335) (@anderseknert)

v0.8.0

This is the most feature-packed release to date, adding a new output format, four new rules, and many improvements across the board!

New GitHub output format

The regal lint command now accepts a new --format option named github. This is ideal for when Regal is run in CI/CD scenarios using GitHub Actions. This format will emit annotations for any violation, which will be visible in the pull request file view.

In addition to this, the GitHub output format will also create a linter report visible in the "Checks" tab:

This report summarizes the result of linting, with links provided to the documentation for any violation.

New rule: use-some-for-output-vars

Category: idiomatic

Using some to declare output variables used in iteration (and elsewhere) has long been considered a best practice. Regal can now identify places where variables are introduced without some and treat these as errros:

allow {
    userinfo := data.users[id]
    # ...
}

Unless the id variable in the above example is declared elsewhere in the policy, it should be declared using some:

allow {
    some id
    userinfo := data.users[id]
    # ...
}

# alternatively, and arguably more idiomatic:
allow {
    some id, userinfo in data.users
    # ...
}

For more information, see the docs on use-some-for-output-vars.

New rule: prefer-some-in-iteration

Category: style

Similarly, the new prefer-some-in-iteration rule will have Regal warn when using the "old" style of iteration which could be replaced in favor of some ... in:

engineers[employee] {
    employee := data.employees[_]
    employee.role in engineering_roles
}

# Prefer some .. in

engineers[employee] {
    some employee in data.employees
    employee.role in engineering_roles
}

An exception to this rule may deeply nested iteration, where the shorter syntax is often preferable. Regal thus allows configuring the rule to allow exceptions from any given nesting level.

For more information, see the docs on prefer-some-in-iteration.

New rule: metasyntactic-variable

Category: testing

Using rule and variable names like "foo", "bar" or "baz" might be convenient in examples, but rarely has a place in production policy. The new metasyntactic-variable rule will flag any occurences of these names. The ignore directive may of course be used to e.g. allow these type of variables in tests or other legitimate locations.

For more information, see the docs on metasyntactic-variable.

New rule: file-length

Category: style

Having policy files span several hundred lines of code is often a signal to consider refactoring the code into smaller units, and to modularize properly using packages and imports. The new file-length rule by default flags any file with more than 500 lines. This number can be changed via the rule's configuration.

For more information, see the docs on file-length.

Other improvements

In addition to the above features, this release comes with many smaller improvements to code, documentation and the pre-commit-hooks — not to mention a bunch of bugs that got fixed. Thanks to everyone who contributed to this release!

Changelog

• d906c0e: use-assignment-operator docs: Use := in Prefer example (#253) (@anderseknert)
• d466086: Update readme links to docs.styra.com (#255) (@charlieegan3)
• 2bf1476: Rule: use-some-for-output-vars (#254) (@anderseknert)
• 867d585: Some doc fixes (#256) (@anderseknert)
• 79275b5: Added import future.keywords.if where it belongs in the example. (#259) (@dkorolev)
• 603cbd8: Update development docs (#262) (@mcguiresm)
• 12b72e3: Update builtin_metadata.rego (@anderseknert)
• 91fdf58: Add use-some-for-output-vars to table in README (#257) (@anderseknert)
• 5b9aaae: Allows multiple # comments (#268) (@Parsifal-M)
• 241698b: Enable pre-commit hook for all hook types (#270) (@jharrisonSV)
• 2b3d7ed: Filter out files before parsing (#272) (@anderseknert)
• 1fdedad: Add GitHub output format (#273) (@anderseknert)
• 4bcfac0: Rule: prefer-some-in-iteration (#263) (@anderseknert)
• de1fc97: Ensure rule "name" logic works without rule.head.name (#278) (@anderseknert)
• a554c3e: bundle: rearrange embed.FS setup (#279) (@srenatus)
• 1e6418d: Rule: metasyntactic-variable (#280) (@anderseknert)
• e86f87d: Refactor: improve config.for_rule ergonomics (#281) (@anderseknert)
• 3a5f666: Rule: file-length (#283) (@anderseknert)
• f78e4a2: Bump dependencies (#284) (@anderseknert)
• 6253cae: Add --debug flag to regal lint command (#287) (@anderseknert)

v0.7.0

This release adds a new custom category to the built-in rules, which allows users to easily define the most common organizational requirements, like naming conventions, by simply editing their Regal configuration. This release also brings a new frontend for the Regal docs, which are now published to docs.styra.com/regal.

New custom category, and naming-convention rule

The custom category of rules allows teams and organizations to define their own conventions for their Rego projects, without having to write custom linter policies. Naming conventions are likely the most common requirement, which is also what the new naming-convention rule helps solve by allowing users to specify their conventions in the Regal configuration using regex patterns.

An example configuration leveraging the naming-convention rule could look like below:

rules:
  custom:
    naming-convention:
      # one of "error", "warning", "ignore"
      level: error
      conventions:
          # allow only "private" rules and functions, i.e. those starting with
          # underscore, or rules named "deny" or "allow"
        - pattern: '^_[a-z]+$|^deny$|^allow$'
          # one of "package", "rule", "function", "variable"
          targets:
            - rule
            - function
        # any number of naming rules may be added
        # package names must start with "acmecorp" or "system"
        - pattern: '^acmecorp|^system'
          targets:
            - package

Note that all rules in the "custom" category are disabled by default (i.e. level "ignore") as some configuration needs to be provided by the user (i.e. you!) in order for them to be useful.

Docs published to docs.styra.com

While GitHub renders markdown well, the file browser doesn't lend itself too well for exploring all the rules available in Regal. From this release, docs are now published to to docs.styra.com/regal, and this page will be used in links found in the reports emitted by regal lint. If you prefer navigating GitHub, the markdown files are still there too.

Changelog

• 9c1f17c: Run GitHub Actions workflow only once (#232) (@iamleot)
• 78a9f17: Fix broken non-anchor link (#233) (@charlieegan3)
• 2f8e715: Add custom category and rule for naming conventions (#235) (@anderseknert)
• c0fa3db: Use H1 for pre-commit hook title (#237) (@charlieegan3)
• b5730ae: [docs] Fix typo in slack links (#238) (@charlieegan3)
• cd385bd: Use absolute links for images (#240) (@charlieegan3)
• 222fbe5: Update roadmap status (#241) (@anderseknert)
• 565150f: Use abs link for config file link (#242) (@charlieegan3)
• 258b8b6: Move "Exceptions" to after "Rationale" (#245) (@anderseknert)
• 99205f8: Add .gitattributes for proper language detection (#246) (@anderseknert)
• 031d292: Remove build.sh script (#247) (@anderseknert)
• 6f91381: Use docs.styra.com for published docs (#249) (@anderseknert)

v0.6.0

This release brings a new command for quickly generating new (custom or built-in) rules, a new linter rule, and some improvements around tooling.

New command to help develop new rules

The regal new rule command may now be used to quickly get started developing your own rules, wether custom ones for your organization, or built-in rules for inclusion in Regal.

regal new rule --category naming --name foo-bar-baz

The above command will create two new files under .regal/rules/naming (all directories created if not exists since before) where one is a policy for the new rule, and another is a test for the same rule. See the updated documentation for custom rules development for more details.

New rule: non-raw-regex-pattern

Using raw string literals for regex pattern has since long been a best practice, and is recommended both by the OPA docs as well as the Rego Style Guide.. The new non-raw-regex-pattern rule (in the idiomatic category) will now help enforce this convention.

Pre-Commit Hooks

Regal now provides pre-commit hooks for easily running Regal as part of your development workflow. Very useful if you want to ensure regal lint is run before you commit any changes to policy files. See the docs on pre-commit hooks for more information. Thanks @adam-moss and @c-wygoda for your contributions to this feature.

Other notable changes

• The use-in-operator rule has been moved from the style category to idiomatic. Thanks @Parsifal-M!
• The documentation for all rules now includes a footer linking to the Regal channel in the Styra Community Slack.
• OPA version bumped from v0.54.0 to v0.55.0

Changelog

• 3b80295: Move use-in-operator to idiomatic category (@Parsifal-M)
• 60cffc3: Bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 (#217) (@dependabot[bot])
• 52e8d5d: Some minor fixes (#218) (@anderseknert)
• f2ddc4e: feat: add pre-commit hook (#221) (@adam-moss)
• 9499689: Add self-downloading pre-commit hook (#226) (@c-wygoda)
• 520d67d: Move pre-commit docs to separate page (#227) (@anderseknert)
• 5020e41: Add community footer to docs pages (#228) (@anderseknert)
• c210d80: Rule: non-raw-regex-pattern (#225) (@anderseknert)
• 44cd7de: Scaffolding (#219) (@anderseknert)

v0.5.0

This release brings improvements and new features to improve the experience of authoring custom rules, as well as new, granular capabilities for ignoring files. Most of these improvements are directly based on feedback — and in some cases contributions — from Regal users, which is particularly exciting!

New functionality for ignoring files at a global level and rule level

In addition to setting the severity level of a rule in the Regal configuration file, it is now possible to have the linter ignore files based on their name (or a pattern). This configuration can be applied either globally for all rules, or per rule. An example of this could be wanting to allow the use of the print function in files with a _test.rego suffix, but not in any other files.

Example .regal/config.yaml

ignore:
  files:
    # ignore this file for all rules
    - sketch.rego
rules:
  testing:
    print-or-trace-call:
      level: error
      ignore:
        files:
          # ignore the print-or-trace-call rule in tests
          - "*_test.rego"

See the configuration section of the docs for more details. Thanks @kristiansvalland for this excellent contribution!

Custom rules authoring improvements

Based on feedback we got from users starting to write their own custom rules, we've made several updates to the docs on this topic, fixing the parts people found confusing, and added more examples show e.g. the directory structure of a policy repo using custom Regal rules. Apart from documentation, we've also made it possible have custom rules without a related_resources attribute in the metadata, as some might prefer to document their rules in code, or by other means.

Enhanced type checking of the input AST

This improves the authoring experience for both builtin and custom rules. The regal test command, which is commonly used when developing and testing new rules, now makes use of a schema for the input attribute, i.e. the AST. This allows the command to fail directly when unknown attributes on input are encountered in linter rules, due to typos or other mistakes.

To use this schema in custom rules, add a schemas attribute to the package annotation, using schema.regal.ast for the input:

# METADATA
# description: All packages must use "acme.corp" base name
# schemas:
# - input: schema.regal.ast
package custom.regal.rules.naming["acme-corp-package"]

import future.keywords.contains
import future.keywords.if

report contains violation if {
    # this will fail at compile time, as there is no 'functions' attribute
    # in the input AST
    some function in input.functions

    # ...
}

The schema is applied automatically for builtin rules.

Community

On the community side, we're excited to have @kristiansvalland join us as a maintainer!

Changelog

• 698c78e: Remove if rule comment, already in another file (#194) (@charlieegan3)
• 88757dc: ci/build: run on PRs (#198) (@srenatus)
• 59d0682: Add Regal bundle to test cmd runner (#197) (@kristiansvalland)
• 79b5434: Some README fixes (#195) (@anderseknert)
• 22943e7: Fix docs in custom-has-key-construct (#203) (@anderseknert)
• 42878a3: Fix unused-return-value config attribute (@anderseknert)
• 462ba0a: Enhanced type checking using Regal AST schema (#201) (@anderseknert)
• c35a1ab: Improve docs on custom rules authoring (#205) (@anderseknert)
• 7d46fc6: Update config.yaml example (#209) (@charlieegan3)
• 9bdbe30: Add functionality for ignoring files at a global level and rule level. (#200) (@kristiansvalland)
• 6fdb963: Custom rules may skip related_resources (#210) (@anderseknert)

v0.4.0

This release brings three new rules related to comments and metadata annotations:

• invalid-metadata-attribute (bugs category) flags custom attributes in metadata annotations not placed under the custom attribute.
• detached-metadata (style category) flags metadata annotations that are "detached" by whitespace from their package or rule.
• no-whitespace-comment (style category) simply flags comments where the first character following the # is not whitespace.

Additionally, new end-to-end tests exposed a few mistakes in a previous refactoring, which have been fixed. This mistake meant that v0.3.0 failed to correctly run the line-length and function-arg-return rules... so if you started from that release you're really getting five new rules with v0.4.0... good thing we're keeping a fast paced release cadence! Thanks to @kristiansvalland for reporting on this regression.

Changelog

• 17bc200: Add no-whitespace-comment style rule (@anderseknert)
• 2f68245: Add invalid-metadata-attribute rule (@anderseknert)
• a093ff6: Bump github.com/open-policy-agent/opa from 0.53.1 to 0.54.0 (#189) (@dependabot[bot])
• 00c2455: New style rule: detached-metadata (#190) (@anderseknert)
• 147a373: Add codeql.yml (#184) (@anderseknert)
• cb516a4: Add e2e test of all rules (#192) (@anderseknert)

v0.3.0

This release improves the use-assignment-operator rule to include many more cases than previously reported.

Additionally, this release fixes a number of issues uncovered when running Regal against some large real-world policy libraries. A few of these were false positives, i.e. where Regal would report issues where there were none, and a few were cases that Regal previously missed.

On the community side, a link to the blog about the ideas behind Regal was added to the README.

Changelog

• 422bd80: Add link to blog (#173) (@anderseknert)
• cafd6b7: Refactor rule metadata logic (#174) (@anderseknert)
• 54b7669: Fix unconditional-assignment with else clause (#179) (@anderseknert)
• ebc5059: test-outside-test-package: functions prefixed test_ aren't tests (#177) (@anderseknert)
• 16f1894: Improve use-assignment-operator rule (#175) (@anderseknert)
• 64c99c6: external-reference: don't count wildcard as external ref (#181) (@anderseknert)
• 6dcc15e: Don't assume a single wildcard in custom-has-key-construct (#183) (@anderseknert)