OPA rego policy for branch specific ShiftLeft policy

shiftleft-branch.rego

package shiftleft

default allow = true

runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
url := sprintf("https://www.shiftleft.io/api/v4/orgs/%s/apps/%s/findings?per_page=249", [sl_org_id, sl_app_name])
http_response := http.send({"method": "get", "headers": headers, "url": url})

scan := http_response.body.response.scan
findings := http_response.body.response.findings

default branch = "master"
branch = "pr" {
    contains(runtime.env.GITHUB_REF, "pull")
}
branch = "release" {
    contains(runtime.env.GITHUB_REF, "release")
}

has_findings = true {
    count(findings) > 0
}

has_critical_findings = true {
    findings[_].severity == "critical"
}

has_non_info_findings = true {
    findings[_].severity == "critical"
}

has_non_info_findings = true {
    findings[_].severity == "moderate"
}

list_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.severity == "critical"
}

list_app_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.category == "XSS"
    finding.severity == "critical"
}

list_app_critical_findings[finding.id] = finding.title {
    finding := findings[_]
    finding.category == "Deserialization"
}

has_branch_findings {
    branch == "master"
    has_findings
}

has_branch_findings {
    branch == "pr"
    has_critical_findings
}

has_branch_findings {
    branch == "release"
    has_non_info_findings
}

allow = false {
    branch == "master"
    has_findings
}

allow = false {
    branch == "pr"
    has_critical_findings
}

allow = false {
    branch == "release"
    has_non_info_findings
}