Add include option to CLI and config file (#289)

Talgarr · web-flow · commit a4868eeafe00 · 2025-04-24T14:03:27.000-04:00
* Add include option to CLI and config file
diff --git a/.poutine.sample.yml b/.poutine.sample.yml
@@ -47,3 +47,10 @@ skipExamples:
 # skip findings by OSV ID
 - osv_id:
   - GHSA-mcph-m25j-8j63
+
+
+# includes only this set of rules
+allowedRules:
+- "pr_runs_on_self_hosted"
+- "unpinnable_action"
+- "github_action_from_unverified_creator_used"
diff --git a/cmd/root.go b/cmd/root.go
@@ -38,6 +38,7 @@ var token string
 var cfgFile string
 var config *models.Config = models.DefaultConfig()
 var skipRules []string
+var allowedRules []string
 
 var legacyFlags = []string{"-token", "-format", "-verbose", "-scm", "-scm-base-uri", "-threads"}
 
@@ -115,6 +116,7 @@ func init() {
 	rootCmd.PersistentFlags().VarP(&ScmBaseURL, "scm-base-url", "b", "Base URI of the self-hosted SCM instance (optional)")
 	rootCmd.PersistentFlags().BoolVarP(&config.Quiet, "quiet", "q", false, "Disable progress output")
 	rootCmd.PersistentFlags().StringSliceVar(&skipRules, "skip", []string{}, "Adds rules to the configured skip list for the current run (optional)")
+	rootCmd.PersistentFlags().StringSliceVar(&allowedRules, "allowed-rules", []string{}, "Overwrite the configured allowedRules list for the current run (optional)")
 
 	viper.BindPFlag("quiet", rootCmd.PersistentFlags().Lookup("quiet"))
 }
@@ -192,6 +194,9 @@ func newOpa(ctx context.Context) (*opa.Opa, error) {
 	if len(skipRules) > 0 {
 		config.Skip = append(config.Skip, models.ConfigSkip{Rule: skipRules})
 	}
+	if len(allowedRules) > 0 {
+		config.AllowedRules = allowedRules
+	}
 	opaClient, err := opa.NewOpa(ctx, config)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to create OPA client")
diff --git a/models/config.go b/models/config.go
@@ -23,11 +23,12 @@ type ConfigInclude struct {
 }
 
 type Config struct {
-	Skip        []ConfigSkip                      `json:"skip"`
-	Include     []ConfigInclude                   `json:"include"`
-	IgnoreForks bool                              `json:"ignore_forks"`
-	Quiet       bool                              `json:"quiet,omitempty"`
-	RulesConfig map[string]map[string]interface{} `json:"rules_config"`
+	Skip         []ConfigSkip                      `json:"skip"`
+	AllowedRules []string                          `json:"allowed_rules"`
+	Include      []ConfigInclude                   `json:"include"`
+	IgnoreForks  bool                              `json:"ignore_forks"`
+	Quiet        bool                              `json:"quiet,omitempty"`
+	RulesConfig  map[string]map[string]interface{} `json:"rules_config"`
 }
 
 func DefaultConfig() *Config {
diff --git a/opa/opa.go b/opa/opa.go
@@ -43,8 +43,7 @@ func NewOpa(ctx context.Context, config *models.Config) (*Opa, error) {
 		}),
 	}
 
-	err := newOpa.WithConfig(ctx, config)
-	if err != nil {
+	if err := newOpa.WithConfig(ctx, config); err != nil {
 		return nil, fmt.Errorf("failed to set opa with config: %w", err)
 	}
 
@@ -55,8 +54,7 @@ func NewOpa(ctx context.Context, config *models.Config) (*Opa, error) {
 		}
 	}
 
-	err = newOpa.Compile(ctx, subset)
-	if err != nil {
+	if err := newOpa.Compile(ctx, subset, config.AllowedRules); err != nil {
 		return nil, fmt.Errorf("failed to initialize opa compiler: %w", err)
 	}
 
@@ -87,20 +85,31 @@ func (o *Opa) WithConfig(ctx context.Context, config *models.Config) error {
 	)
 }
 
-func (o *Opa) Compile(ctx context.Context, skip []string) error {
+func skipRule(path string, skip []string, allowed []string) bool {
+	if !strings.Contains(filepath.ToSlash(path), "/rules/") {
+		return false
+	}
+	filename := strings.TrimSuffix(filepath.Base(path), filepath.Ext(path))
+	if len(allowed) > 0 {
+		if !slices.Contains(allowed, filename) {
+			return true
+		}
+	}
+	if slices.Contains(skip, filename) {
+		return true
+	}
+	return false
+}
+
+func (o *Opa) Compile(ctx context.Context, skip []string, allowed []string) error {
 	modules := make(map[string]string)
 	err := fs.WalkDir(regoFs, "rego", func(path string, d fs.DirEntry, err error) error {
 		if d.IsDir() {
 			return err
 		}
 
-		if len(skip) != 0 {
-			if filepath.Dir(path) == filepath.Join("rego", "rules") {
-				filename := strings.TrimSuffix(filepath.Base(path), filepath.Ext(path))
-				if slices.Contains(skip, filename) {
-					return nil
-				}
-			}
+		if skipRule(path, skip, allowed) {
+			return nil
 		}
 
 		content, err := regoFs.ReadFile(path)
@@ -124,6 +133,9 @@ func (o *Opa) Compile(ctx context.Context, skip []string) error {
 	}
 
 	for name, mod := range result.Modules {
+		if skipRule(name, skip, allowed) {
+			continue
+		}
 		modules["include/"+name] = string(mod.Raw)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,7 @@ func NewOpa(ctx context.Context, config models.Config) (Opa, error) {`
`43`	`43`	`}),`
`44`	`44`	`}`
`45`	`45`
`46`		`- err := newOpa.WithConfig(ctx, config)`
`47`		`- if err != nil {`
	`46`	`+ if err := newOpa.WithConfig(ctx, config); err != nil {`
`48`	`47`	`return nil, fmt.Errorf("failed to set opa with config: %w", err)`
`49`	`48`	`}`
`50`	`49`
`@@ -55,8 +54,7 @@ func NewOpa(ctx context.Context, config models.Config) (Opa, error) {`
`55`	`54`	`}`
`56`	`55`	`}`
`57`	`56`
`58`		`- err = newOpa.Compile(ctx, subset)`
`59`		`- if err != nil {`
	`57`	`+ if err := newOpa.Compile(ctx, subset, config.AllowedRules); err != nil {`
`60`	`58`	`return nil, fmt.Errorf("failed to initialize opa compiler: %w", err)`
`61`	`59`	`}`
`62`	`60`
`@@ -87,20 +85,31 @@ func (o Opa) WithConfig(ctx context.Context, config models.Config) error {`
`87`	`85`	`)`
`88`	`86`	`}`
`89`	`87`
`90`		`-func (o *Opa) Compile(ctx context.Context, skip []string) error {`
	`88`	`+func skipRule(path string, skip []string, allowed []string) bool {`
	`89`	`+ if !strings.Contains(filepath.ToSlash(path), "/rules/") {`
	`90`	`+ return false`
	`91`	`+ }`
	`92`	`+ filename := strings.TrimSuffix(filepath.Base(path), filepath.Ext(path))`
	`93`	`+ if len(allowed) > 0 {`
	`94`	`+ if !slices.Contains(allowed, filename) {`
	`95`	`+ return true`
	`96`	`+ }`
	`97`	`+ }`
	`98`	`+ if slices.Contains(skip, filename) {`
	`99`	`+ return true`
	`100`	`+ }`
	`101`	`+ return false`
	`102`	`+}`
	`103`	`+`
	`104`	`+func (o *Opa) Compile(ctx context.Context, skip []string, allowed []string) error {`
`91`	`105`	`modules := make(map[string]string)`
`92`	`106`	`err := fs.WalkDir(regoFs, "rego", func(path string, d fs.DirEntry, err error) error {`
`93`	`107`	`if d.IsDir() {`
`94`	`108`	`return err`
`95`	`109`	`}`
`96`	`110`
`97`		`- if len(skip) != 0 {`
`98`		`- if filepath.Dir(path) == filepath.Join("rego", "rules") {`
`99`		`- filename := strings.TrimSuffix(filepath.Base(path), filepath.Ext(path))`
`100`		`- if slices.Contains(skip, filename) {`
`101`		`- return nil`
`102`		`- }`
`103`		`- }`
	`111`	`+ if skipRule(path, skip, allowed) {`
	`112`	`+ return nil`
`104`	`113`	`}`
`105`	`114`
`106`	`115`	`content, err := regoFs.ReadFile(path)`
`@@ -124,6 +133,9 @@ func (o *Opa) Compile(ctx context.Context, skip []string) error {`
`124`	`133`	`}`
`125`	`134`
`126`	`135`	`for name, mod := range result.Modules {`
	`136`	`+ if skipRule(name, skip, allowed) {`
	`137`	`+ continue`
	`138`	`+ }`
`127`	`139`	`modules["include/"+name] = string(mod.Raw)`
`128`	`140`	`}`
`129`	`141`