From ba5cfdb9bbbdaaa1cb3b3c8f3e2faa07a42e50d1 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 9 Apr 2025 10:55:02 +0600 Subject: [PATCH 1/2] chore: pass schemas to opa test Signed-off-by: Nikita Pivkin --- .gitignore | 1 + Makefile | 13 +++++++++++-- examples/serverless/python2.rego | 2 -- examples/terraform-plan/asg_capacity.rego | 2 -- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index 236ce5bf9..723dfb844 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ bundle.tar.gz opa +schemas .idea .vscode diff --git a/Makefile b/Makefile index c3423b303..b928429e4 100644 --- a/Makefile +++ b/Makefile @@ -17,6 +17,15 @@ test: test-integration: go test -v -timeout 5m -tags=integration ./integration/... +.PHONY: download-schemas +download-schemas: + @schemas_path=schemas ; \ + base_url=https://raw.githubusercontent.com/aquasecurity/trivy/main/pkg/iac/rego/schemas ; \ + mkdir -p $$schemas_path ; \ + for file in cloud.json dockerfile.json kubernetes.json ; do \ + wget -q -O $$schemas_path/$$file $$base_url/$$file ; \ + done + .PHONY: rego rego: fmt-rego check-rego lint-rego test-rego docs @@ -25,8 +34,8 @@ fmt-rego: go run ./cmd/opa fmt -w lib/ checks/ examples/ .regal/rules .PHONY: test-rego -test-rego: - go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml' +test-rego: download-schemas + go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml' -s schemas .PHONY: check-rego check-rego: diff --git a/examples/serverless/python2.rego b/examples/serverless/python2.rego index cb6a777e1..ab4f1ff72 100644 --- a/examples/serverless/python2.rego +++ b/examples/serverless/python2.rego @@ -8,8 +8,6 @@ # Ensure that you use a supported runtime version, such as Python 3.x, # to maintain the security and reliability of your serverless application. # scope: package -# schemas: -# - input: schema["yaml"] # related_resources: # - https://www.python.org/doc/sunset-python-2/ # custom: diff --git a/examples/terraform-plan/asg_capacity.rego b/examples/terraform-plan/asg_capacity.rego index 64a7cb312..8117bdb69 100644 --- a/examples/terraform-plan/asg_capacity.rego +++ b/examples/terraform-plan/asg_capacity.rego @@ -6,8 +6,6 @@ # # Ensure that the desired capacity for Auto Scaling Groups is set to a reasonable value, typically within limits defined by your organization. # scope: package -# schemas: -# - input: schema["json"] # related_resources: # - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group # custom: From 2f374485fe17e8bf5533effded4e3756171e830f Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 26 May 2025 17:01:31 +0600 Subject: [PATCH 2/2] pass schemas to 'opa check' Signed-off-by: Nikita Pivkin --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index b928429e4..be9e14ab4 100644 --- a/Makefile +++ b/Makefile @@ -34,12 +34,12 @@ fmt-rego: go run ./cmd/opa fmt -w lib/ checks/ examples/ .regal/rules .PHONY: test-rego -test-rego: download-schemas - go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml' -s schemas +test-rego: + go run ./cmd/opa test --explain=fails lib/ checks/ examples/ --ignore '*.yaml' .PHONY: check-rego -check-rego: - @go run ./cmd/opa check lib checks --v0-v1 --strict +check-rego: download-schemas + @go run ./cmd/opa check lib checks --v0-v1 --strict -s schemas .PHONY: lint-rego lint-rego: check-rego