Created
May 23, 2024 15:34
-
-
Save lukehinds/3a52db22adfd71e491628776defd0087 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
version: v1 | |
type: rule-type | |
name: pylint_configured | |
severity: | |
value: medium | |
context: | |
provider: github | |
description: Verifies that Pylint is configured for the repository | |
guidance: | | |
Ensure that Pylint is configured and enabled for the repository. | |
Pylint enables enables static code analysis for Python repositories. | |
It is recommended that repositories have some form of static code analysis enabled | |
to ensure that code quality is maintained. | |
For more information, see: https://pylint.org | |
def: | |
# Defines the section of the pipeline the rule will appear in. | |
# This will affect the template used to render multiple parts | |
# of the rule. | |
in_entity: repository | |
# Defines the schema for writing a rule with this rule being checked | |
# In this case there are no settings that need to be configured | |
rule_schema: | |
type: object | |
properties: | |
python_matrix: | |
type: array | |
items: | |
type: number | |
description: | | |
This option is no longer used. It's, however marked as required, so we can't remove | |
it for backwards compatibility. | |
default: [3.8, 3.9, 3.10, 3.11, 3.12] | |
required: | |
- python_matrix | |
# Defines the configuration for ingesting data relevant for the rule | |
ingest: | |
type: git | |
git: | |
branch: main | |
eval: | |
type: rego | |
rego: | |
type: deny-by-default | |
def: | | |
package minder | |
allow { | |
# List all workflows | |
workflows := file.ls("./.github/workflows") | |
# Read all workflows | |
some w | |
workflowstr := file.read(workflows[w]) | |
workflow := yaml.unmarshal(workflowstr) | |
# Ensure workflow is triggered on push | |
workflow.on[_] == "push" | |
# Ensure the workflow has the correct job configuration | |
job := workflow.jobs.build | |
job.runs-on == "ubuntu-latest" | |
# Ensure the job has the correct strategy matrix for Python versions | |
matrix := job.strategy.matrix | |
matrix["python-version"] == input.python_matrix | |
# Ensure the job has the necessary steps | |
steps := {step.name | step := job.steps[_]} | |
steps["Set up Python ${ matrix.python-version }"] | |
steps["Install dependencies"] | |
steps["Analysing the code with pylint"] | |
# Check details of each step | |
some i | |
step := job.steps[i] | |
step_checkouts := step.uses == "actions/checkout@" | |
step_setup_python := step.name == sprintf("Set up Python %v", ["${ matrix.python-version }"]) | |
step.uses == "actions/setup-python@" | |
step["with"]["python-version"] == "${ matrix.python-version }" | |
step_install_dependencies := step.name == "Install dependencies" | |
step.run == "python -m pip install --upgrade pip\npip install pylint" | |
step_pylint := step.name == "Analysing the code with pylint" | |
step.run == "pylint $(git ls-files '*.py')" | |
} | |
# Defines the configuration for alerting on the rule | |
alert: | |
type: security_advisory | |
security_advisory: {} | |
remediate: | |
type: pull_request | |
pull_request: | |
title: "Add Pylint for code quality" | |
body: | | |
This is a Minder automated pull request. | |
This pull request adds a GitHub actions workflow that runs Pylint on each pull request" | |
contents: | |
- path: .github/workflows/pylint.yml | |
action: replace | |
content: | | |
name: Pylint | |
on: | |
pull_request: | |
jobs: | |
pylint-code-quality: | |
runs-on: ubuntu-latest | |
name: Pylint | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v3 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
pip install pylint | |
- name: Analysing the code with pylint | |
run: | | |
pylint $(git ls-files '*.py') | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment