lukehinds/pylint_configured.yaml

## pylint_configured.yaml
---
version: v1
type: rule-type
name: pylint_configured
severity:
  value: medium
context:
  provider: github
description: Verifies that Pylint is configured for the repository
guidance: |
  Ensure that Pylint is configured and enabled for the repository.

  Pylint enables enables static code analysis for Python repositories.
  It is recommended that repositories have some form of static code analysis enabled
  to ensure that code quality is maintained.

  For more information, see: https://pylint.org
def:
  # Defines the section of the pipeline the rule will appear in.
  # This will affect the template used to render multiple parts
  # of the rule.
  in_entity: repository
  # Defines the schema for writing a rule with this rule being checked
  # In this case there are no settings that need to be configured
  rule_schema:
    type: object
    properties:
      python_matrix:
        type: array
        items:
          type: number
        description: |
          This option is no longer used. It's, however marked as required, so we can't remove
          it for backwards compatibility.
        default: [3.8, 3.9, 3.10, 3.11, 3.12]
    required:
      - python_matrix
  # Defines the configuration for ingesting data relevant for the rule
  ingest:
    type: git
    git:
      branch: main

  eval:
    type: rego
    rego:
      type: deny-by-default
      def: |
        package minder

        allow {
            # List all workflows
            workflows := file.ls("./.github/workflows")

            # Read all workflows
            some w
            workflowstr := file.read(workflows[w])

            workflow := yaml.unmarshal(workflowstr)

            # Ensure workflow is triggered on push
            workflow.on[_] == "push"

            # Ensure the workflow has the correct job configuration
            job := workflow.jobs.build
            job.runs-on == "ubuntu-latest"

            # Ensure the job has the correct strategy matrix for Python versions
            matrix := job.strategy.matrix
            matrix["python-version"] == input.python_matrix

            # Ensure the job has the necessary steps
            steps := {step.name | step := job.steps[_]}

            steps["Set up Python ${ matrix.python-version }"]
            steps["Install dependencies"]
            steps["Analysing the code with pylint"]

            # Check details of each step
            some i
            step := job.steps[i]

            step_checkouts := step.uses == "actions/checkout@"
            step_setup_python := step.name == sprintf("Set up Python %v", ["${ matrix.python-version }"])
                                step.uses == "actions/setup-python@"
                                step["with"]["python-version"] == "${ matrix.python-version }"

            step_install_dependencies := step.name == "Install dependencies"
                                        step.run == "python -m pip install --upgrade pip\npip install pylint"

            step_pylint := step.name == "Analysing the code with pylint"
                          step.run == "pylint $(git ls-files '*.py')"
        }


  # Defines the configuration for alerting on the rule
  alert:
    type: security_advisory
    security_advisory: {}
  remediate:
    type: pull_request
    pull_request:
      title: "Add Pylint for code quality"
      body: |
        This is a Minder automated pull request.

        This pull request adds a GitHub actions workflow that runs Pylint on each pull request"
      contents:
        - path: .github/workflows/pylint.yml
          action: replace
          content: |
            name: Pylint

            on:
              pull_request:

            jobs:
              pylint-code-quality:
                runs-on: ubuntu-latest
                name: Pylint
                steps:
                  - name: Checkout
                    uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
                  - name: Set up Python ${{ matrix.python-version }}
                    uses: actions/setup-python@v3
                    with:
                      python-version: ${{ matrix.python-version }}
                  - name: Install dependencies
                    run: |
                      python -m pip install --upgrade pip
                      pip install pylint
                  - name: Analysing the code with pylint
                    run: |
                      pylint $(git ls-files '*.py')
	---
	version: v1
	type: rule-type
	name: pylint_configured
	severity:
	value: medium
	context:
	provider: github
	description: Verifies that Pylint is configured for the repository
	guidance: \|
	Ensure that Pylint is configured and enabled for the repository.

	Pylint enables enables static code analysis for Python repositories.
	It is recommended that repositories have some form of static code analysis enabled
	to ensure that code quality is maintained.

	For more information, see: https://pylint.org
	def:
	# Defines the section of the pipeline the rule will appear in.
	# This will affect the template used to render multiple parts
	# of the rule.
	in_entity: repository
	# Defines the schema for writing a rule with this rule being checked
	# In this case there are no settings that need to be configured
	rule_schema:
	type: object
	properties:
	python_matrix:
	type: array
	items:
	type: number
	description: \|
	This option is no longer used. It's, however marked as required, so we can't remove
	it for backwards compatibility.
	default: [3.8, 3.9, 3.10, 3.11, 3.12]
	required:
	- python_matrix
	# Defines the configuration for ingesting data relevant for the rule
	ingest:
	type: git
	git:
	branch: main

	eval:
	type: rego
	rego:
	type: deny-by-default
	def: \|
	package minder

	allow {
	# List all workflows
	workflows := file.ls("./.github/workflows")

	# Read all workflows
	some w
	workflowstr := file.read(workflows[w])

	workflow := yaml.unmarshal(workflowstr)

	# Ensure workflow is triggered on push
	workflow.on[_] == "push"

	# Ensure the workflow has the correct job configuration
	job := workflow.jobs.build
	job.runs-on == "ubuntu-latest"

	# Ensure the job has the correct strategy matrix for Python versions
	matrix := job.strategy.matrix
	matrix["python-version"] == input.python_matrix

	# Ensure the job has the necessary steps
	steps := {step.name \| step := job.steps[_]}

	steps["Set up Python ${ matrix.python-version }"]
	steps["Install dependencies"]
	steps["Analysing the code with pylint"]

	# Check details of each step
	some i
	step := job.steps[i]

	step_checkouts := step.uses == "actions/checkout@"
	step_setup_python := step.name == sprintf("Set up Python %v", ["${ matrix.python-version }"])
	step.uses == "actions/setup-python@"
	step["with"]["python-version"] == "${ matrix.python-version }"

	step_install_dependencies := step.name == "Install dependencies"
	step.run == "python -m pip install --upgrade pip\npip install pylint"

	step_pylint := step.name == "Analysing the code with pylint"
	step.run == "pylint $(git ls-files '*.py')"
	}



	# Defines the configuration for alerting on the rule
	alert:
	type: security_advisory
	security_advisory: {}
	remediate:
	type: pull_request
	pull_request:
	title: "Add Pylint for code quality"
	body: \|
	This is a Minder automated pull request.

	This pull request adds a GitHub actions workflow that runs Pylint on each pull request"
	contents:
	- path: .github/workflows/pylint.yml
	action: replace
	content: \|
	name: Pylint

	on:
	pull_request:

	jobs:
	pylint-code-quality:
	runs-on: ubuntu-latest
	name: Pylint
	steps:
	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
	- name: Set up Python ${{ matrix.python-version }}
	uses: actions/setup-python@v3
	with:
	python-version: ${{ matrix.python-version }}
	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install pylint
	- name: Analysing the code with pylint
	run: \|
	pylint $(git ls-files '*.py')