Skip to content

Feature: support ruletype definitions as rego + metadata#6558

Open
evankanderson wants to merge 6 commits into
mindersec:mainfrom
evankanderson:rego-style-rules
Open

Feature: support ruletype definitions as rego + metadata#6558
evankanderson wants to merge 6 commits into
mindersec:mainfrom
evankanderson:rego-style-rules

Conversation

@evankanderson

Copy link
Copy Markdown
Member

Summary

I've talked about this for several months, but some of the recent Rego v1 migrations made me pull the trigger.

This allows Rego ruletypes to be defined as standard .rego files (so that opa fmt, etc will work on them), and includes the Minder Ruletype metadata via the OPA metadata convention.

Testing

Added integration tests for the various Minder commands.

Still TODO: documentation for the different file formats supported by Minder (DataSources, Profiles, and two filetypes for RuleTypes).

@coveralls

coveralls commented Jul 1, 2026

Copy link
Copy Markdown

Coverage Status

Coverage is 60.772%evankanderson:rego-style-rules into mindersec:main. No base build found for mindersec:main.

if proj != "" {
if r.Context == nil {
r.Context = &minderv1.Context{}
for _, resource := range resources {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we return an error when an explicitly provided file contains no resources? ReadFromPath returns an empty slice on EOF, so an empty YAML or Rego file currently makes ruletype create/apply exit successfully without doing anything. That feels especially confusing for automation.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good point!

Added a test for this case as well.

# eval:
# rego:
# type: 'deny-by-default'
package minder

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This second package minder makes the fixture invalid Rego; opa fmt --fail reports unexpected package here. Could we move the metadata before the original package declaration and keep only one package statement? The duplicate fixture under cmd/cli/app/fixture has the same problem.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it turns out that the metadata comment after the package makes the annotation technically associated with the import line rather than the package line.

I ran opa check and opa fmt on all the sample rego files.

"repo": input.properties["github/repo_name"],
"pr": input.properties["github/pr_number"],
})
comment contains "badword"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixture still fails opa check. With import rego.v1, the rule on line 30 needs the v1 contains ... if form, and line 36 should use contains(comment, "badword"). Could we make the fixture valid so the successful conversion test represents a rule the server can actually accept?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes on making the fixture valid. I don't really want the client to actually check the Rego with an embedded toolchain, because that may end up blocking valid future rules if the server is upgraded, but the user is using an old client. (As someone who has multiple gardens of tools on different machines, I often end up with out-of-date tools somewhere.)

@dakshhhhh16

Copy link
Copy Markdown
Contributor

It's good to go I think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants