feat(policy): migrate policies to Rego v1 syntax (#127)

Author: Dieter Bocklandt

.github/actions/action.yaml

@@ -5,6 +5,6 @@ branding:
   color: "green"
 runs:
   using: 'docker'
-  image: 'docker://openpolicyagent/conftest:v0.24.0'
+  image: 'docker://openpolicyagent/conftest:v0.60.0'
   args:
   - verify

policy/docker/deny_curl_bashing.rego

@@ -1,17 +1,19 @@
 package docker
 
+import rego.v1
+
 import data.docker
 import data.lib as l
 
 check06 := "DOCKER_06"
 
-exception[rules] {
+exception contains rules if {
 	make_exception(check06)
 	rules = ["curl_bashing"]
 }
 
 # DENY(DOCKER_06): Avoid curl bashing, use a trusted source and verify hash
-deny_curl_bashing[msg] {
+deny_curl_bashing contains msg if {
 	docker.runs[run]
 	regex.match("(curl|wget).*[|>].*", lower(run))
 	msg = sprintf("%s: Avoid curl/wget bashing (%s). More info: %s", [check06, run, l.get_url(check06)])

policy/docker/deny_curl_bashing_test.rego

@@ -1,8 +1,10 @@
 package docker
 
+import rego.v1
+
 import data.testing as t
 
-test_avoid_curl_bashing {
+test_avoid_curl_bashing if {
 	curl_bash := [
 		{
 			"Cmd": "run",
@@ -23,16 +25,14 @@ test_avoid_curl_bashing {
 	t.error_count(deny_curl_bashing, 2) with input as curl_bash
 }
 
-test_allow_curl_without_pipe {
-	curl_bash := [
-		{
-			"Cmd": "run",
-			"Flags": [],
-			"JSON": false,
-			"SubCmd": "",
-			"Value": ["curl", "https://some-url.com"],
-		},
-	]
+test_allow_curl_without_pipe if {
+	curl_bash := [{
+		"Cmd": "run",
+		"Flags": [],
+		"JSON": false,
+		"SubCmd": "",
+		"Value": ["curl", "https://some-url.com"],
+	}]
 
 	t.no_errors(deny_curl_bashing) with input as curl_bash
 }

policy/docker/deny_not_specifying_user.rego

@@ -1,17 +1,19 @@
 package docker
 
+import rego.v1
+
 import data.docker
 import data.lib as l
 
 check01 := "DOCKER_01"
 
-exception[rules] {
+exception contains rules if {
 	make_exception(check01)
 	rules = ["no_user"]
 }
 
 # DENY(DOCKER_01): if USER is not specified in the Dockerfile it will use root implicitly
-deny_no_user[msg] {
+deny_no_user contains msg if {
 	not is_user
 	msg = sprintf("%s: Please specify a USER, root is not permitted. More info: %s", [check01, l.get_url(check01)])
 }

policy/docker/deny_not_specifying_user_test.rego

@@ -1,9 +1,11 @@
 package docker
 
+import rego.v1
+
 import data.testing as t
 
-test_deny_no_user {
-	input := [
+test_deny_no_user if {
+	inp := [
 		{
 			"Cmd": "from",
 			"Flags": [],
@@ -20,5 +22,5 @@ test_deny_no_user {
 		},
 	]
 
-	t.error_count(deny_no_user, 1) with input as input
+	t.error_count(deny_no_user, 1) with input as inp
 }

policy/docker/deny_port_out_of_range.rego

@@ -1,22 +1,25 @@
 package docker
 
+import rego.v1
+
 import data.docker
 import data.lib as l
 
 check07 := "DOCKER_07"
 
-exception[rules] {
+exception contains rules if {
 	make_exception(check07)
 	rules = ["port_out_of_range"]
 }
 
 # DENY(DOCKER_07): Port number out of range - https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
-port_in_range {
+port_in_range if {
 	docker.exposes[expose]
-	all([to_number(expose) > 0, to_number(expose) < 65535])
+	to_number(expose) > 0
+	to_number(expose) < 65535
 }
 
-deny_port_out_of_range[msg] {
+deny_port_out_of_range contains msg if {
 	docker.exposes[expose]
 	not port_in_range
 	msg = sprintf("%s: Port number out of range (0-65535). More info: %s", [check07, l.get_url(check07)])

policy/docker/deny_port_out_of_range_test.rego

@@ -1,9 +1,11 @@
 package docker
 
+import rego.v1
+
 import data.testing as t
 
-test_port_out_of_range {
-	input := [
+test_port_out_of_range if {
+	inp := [
 		{
 			"Cmd": "from",
 			"Flags": [],
@@ -20,5 +22,5 @@ test_port_out_of_range {
 		},
 	]
 
-	t.error_count(deny_port_out_of_range, 1) with input as input
+	t.error_count(deny_port_out_of_range, 1) with input as inp
 }

policy/docker/deny_sudo_usage.rego

@@ -1,17 +1,19 @@
 package docker
 
+import rego.v1
+
 import data.docker
 import data.lib as l
 
 check04 := "DOCKER_04"
 
-exception[rules] {
+exception contains rules if {
 	make_exception(check04)
 	rules = ["sudo_usage"]
 }
 
 # DENY(DOCKER_04): Do not allow usage of sudo
-deny_sudo_usage[msg] {
+deny_sudo_usage contains msg if {
 	docker.runs[run]
 	contains(lower(run), "sudo")
 	msg = sprintf("%s: Avoid using 'sudo' command (%s). More info: %s", [check04, run, l.get_url(check04)])

policy/docker/deny_sudo_usage_test.rego

@@ -1,9 +1,11 @@
 package docker
 
+import rego.v1
+
 import data.testing as t
 
-test_deny_sudo_usage {
-	input := [
+test_deny_sudo_usage if {
+	inp := [
 		{
 			"Cmd": "from",
 			"Flags": [],
@@ -20,5 +22,5 @@ test_deny_sudo_usage {
 		},
 	]
 
-	t.error_count(deny_sudo_usage, 1) with input as input
+	t.error_count(deny_sudo_usage, 1) with input as inp
 }

policy/docker/deny_using_add.rego

@@ -1,17 +1,19 @@
 package docker
 
+import rego.v1
+
 import data.docker
 import data.lib as l
 
 check05 := "DOCKER_05"
 
-exception[rules] {
+exception contains rules if {
 	make_exception(check05)
 	rules = ["using_add"]
 }
 
 # DENY(DOCKER_05): Use ADD instead of COPY - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#add-or-copy
-deny_using_add[msg] {
+deny_using_add contains msg if {
 	docker.adds[add]
 	msg = sprintf("%s: Use COPY instead of ADD. More info: %s", [check05, l.get_url(check05)])
 }