prabhu/shiftleft-branch.rego

## shiftleft-branch.rego
package shiftleft

default allow = true

runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
url := sprintf("https://www.shiftleft.io/api/v4/orgs/%s/apps/%s/findings?per_page=249", [sl_org_id, sl_app_name])
http_response := http.send({"method": "get", "headers": headers, "url": url})

scan := http_response.body.response.scan
findings := http_response.body.response.findings

default branch = "master"
branch = "pr" {
    contains(runtime.env.GITHUB_REF, "pull")
}
branch = "release" {
    contains(runtime.env.GITHUB_REF, "release")
}

has_findings = true {
    count(findings) > 0
}

has_critical_findings = true {
    findings[_].severity == "critical"
}

has_non_info_findings = true {
    findings[_].severity == "critical"
}

has_non_info_findings = true {
    findings[_].severity == "moderate"
}

list_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.severity == "critical"
}

list_app_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.category == "XSS"
    finding.severity == "critical"
}

list_app_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.category == "Deserialization"
}

has_branch_findings {
    branch == "master"
    has_findings
}

has_branch_findings {
    branch == "pr"
    has_critical_findings
}

has_branch_findings {
    branch == "release"
    has_non_info_findings
}

allow = false {
    branch == "master"
    has_findings
}

allow = false {
    branch == "pr"
    has_critical_findings
}

allow = false {
    branch == "release"
    has_non_info_findings
}
	package shiftleft

	default allow = true

	runtime := opa.runtime()
	sl_app_name := runtime.env.SHIFTLEFT_APP
	sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
	payload := io.jwt.decode(sl_access_token)
	sl_org_id := payload[1].orgID
	headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
	url := sprintf("https://www.shiftleft.io/api/v4/orgs/%s/apps/%s/findings?per_page=249", [sl_org_id, sl_app_name])
	http_response := http.send({"method": "get", "headers": headers, "url": url})

	scan := http_response.body.response.scan
	findings := http_response.body.response.findings

	default branch = "master"
	branch = "pr" {
	contains(runtime.env.GITHUB_REF, "pull")
	}
	branch = "release" {
	contains(runtime.env.GITHUB_REF, "release")
	}

	has_findings = true {
	count(findings) > 0
	}

	has_critical_findings = true {
	findings[_].severity == "critical"
	}

	has_non_info_findings = true {
	findings[_].severity == "critical"
	}

	has_non_info_findings = true {
	findings[_].severity == "moderate"
	}

	list_critical_findings[finding.id] = finding.title {
	finding := findings[_]
	finding.severity == "critical"
	}

	list_app_critical_findings[finding.id] = finding.title {
	finding := findings[_]
	finding.category == "XSS"
	finding.severity == "critical"
	}

	list_app_critical_findings[finding.id] = finding.title {
	finding := findings[_]
	finding.category == "Deserialization"
	}

	has_branch_findings {
	branch == "master"
	has_findings
	}

	has_branch_findings {
	branch == "pr"
	has_critical_findings
	}

	has_branch_findings {
	branch == "release"
	has_non_info_findings
	}

	allow = false {
	branch == "master"
	has_findings
	}

	allow = false {
	branch == "pr"
	has_critical_findings
	}

	allow = false {
	branch == "release"
	has_non_info_findings
	}