Skip to content

Releases: StyraInc/regal

v0.29.2

15 Nov 09:16
@github-actions github-actions
v0.29.2
20a5cfa
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.29.2 Latest
Latest

This patch release fixes an issue where the new defer-assignment rule would sometimes report a false positive when the variable was used inside of a with clause on the next line.

Thanks @nevumx for reporting the issue!

Changelog

Contributors

anderseknert and nevumx
Assets 8
Loading

v0.29.1

14 Nov 13:35
@github-actions github-actions
v0.29.1
743a65b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.29.1

This patch release fixes an issue where custom (i.e. user-created) aggregate rules1. wouldn't work as expected when the condition for a violation was the absence of aggregated data. This could for example be a rule that says "at least one rule must be named allow, and it must have a default assignment to false".

Upgrading from v0.29.0 is not required unless you're writing custom Regal rules.

Many thanks to @shibataka000 for reporting the issue, and in such an exemplary way ⭐

Changelog

  1. scroll below the table of rules for an explanation of what aggregate rules are

Contributors

anderseknert, shibataka000, and dependabot
Assets 8
Loading

v0.29.0

12 Nov 15:16
@github-actions github-actions
v0.29.0
5cb67ea
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.29.0

This is a big release, spanning more than a month of development! Regal v0.29.0 brings new linter rules, performance improvements and new features to both the linter and the language server.

New rules

defer-assignment

Category: performance

The new defer-assignment rule helps detect when assignment can be moved to later in the rule body, possibly avoiding it at all if the conditions below don’t evaluate.

allow if {
    # this assignment can be deferred to after the roles check
    resp := http.send({"method": "get", "url": "http:localhost"})
    
    "rego hacker" in input.user.roles
    
    resp.status_code == 200
}

This can improve performance by having less to evaluate, and it makes policies easier to read. Double win!

For more information, see the docs on defer-assignment.

walk-no-path

Category: performance

When using the walk built-in function on large data structures, traversing only the values without building a path to each node can save a considerable amout of time. The new walk-no-path rule will detect when the assigned path is unused and can be replaced by a wildcard variable, which tells OPA to skip the construction of the path. This dramatically improves the performance of the function.

found if {
    # path assigned but never referenced in the rule
    walk(haystack, [path, value])

    value == "needle"
}

# should be replaced by

found if {
    walk(haystack, [_, value])

    value == "needle"
}

For more information, see the docs on walk-no-path.

rule-assigns-default

Category: bugs

Assigning a rule the same value as the default value set for the rule is always a bug, and while hopefully not too common, now reported by Regal.

default threshold := 1

threshold := 0 if {
    # some conditions
}

# this is already the default condition!
# and having this removed will have no impact on how
# the rule evaluates.. don't do this!
threshold := 1 if {
    # some conditions
}

For more information, see the docs on rule-assigns-default.

Language Server

Evaluation Code Lens for Neovim

We were exicted to learn the Code Lens for Evaluation (“click to evaluate”) feature we built now works not only in VS Code but also in Neovim. This thanks to work by regular contributor @rinx. Thank you! The language server docs have now been updated to reflect this.

Improved Enterprise OPA integration

Setting the capabilities engine to eopa will now have the language sever recognize Enterprise OPA-specific built-in functions, and provide both auto-completions for those as well as informative tooltips on hover. Clicking links in the tooltip now correctly brings you to the Styra docs for the Enterprise OPA built-in functions.

Notable Improvements

  • The leaked-internal-reference rule is now ignored in tests by default. See the docs for this rule if you wish to enable this.
  • The prefer-snake-case rule now also reports violations in package names.
  • The same prepared query is now used both for linting and to collect data for aggregate rules, saving about 150 milliseconds for any given regal lint run.
  • Regal’s own capabilities and provided configuration is now available when running the evaluation code lens, simplifying development of custom rules.
  • The pretty reporting format will now print the severity level of a violation when no color support is detected in the terminal (reported by @geirs73)
  • The --instrument flag from opa eval is now supported also by regal lint, providing detailed information about where most time is spent while linting.

Notable Fixes

  • Using input.json for the evaluation code lens now works reliably on Windows. As does ourcing a capabilities.json file from the filesystem. Thanks to @geirs73 for reporting these issues!
  • Global ignore directives from .regal/config.yaml would sometimes be parsed differently depending on read by regal lint or the language server. This has now been fixed.
  • Fix false positive in inconsistent-args rule when an arity mismatch should rather be handled by the compiler. Thanks @tsandall for reporting that!
  • Fix a false positive in use-contains rule when not importing rego.v1. This turned out to be an issue originating in OPA, so we fixed it there, and later included in Regal by upgrading the dependency to the latest OPA version v0.70.0. Thanks @drewcorlin1 for reporting the issue!

Changelog

Read more

Contributors

tsandall, anderseknert, and 8 other contributors
Assets 8
Loading

v0.28.0

07 Oct 15:31
@github-actions github-actions
v0.28.0
9503967
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.28.0

New Rule: missing-metadata #1131

The new missing-metadata rule helps ensure policies are documented by requiring METADATA comments on public packages and rules. Metadata comments are used to explain functionality and annotate Rego constructs with other data.

Note: missing-metadata is a custom rule and so is not enabled by default for all users.

fixer: Automated fixing of directory-package-mismatch

This release brings improvements to regal fix, the command to automatically fix supported violations (#1120, #1127).

Fixes for the directory-package-mismatch violations involve moving files based on their packages. For example a file with package foo.bar in policies/policy.rego would need to be moved to foo/policy.rego. In previous versions of Regal, when multiple files in a large code base with the same filename needed to be moved to the same package directory, Regal would output a confusing error message.

Regal v0.28.0 outputs a clear error message by default and adds a new --on-conflict=rename modifying flag to allow conflicting files to automatically be renamed when this scenario is encountered.

Linter Improvements

Language Server Performance Improvements

Dependency Updates

  • anderseknert/roast v0.2.0 -> v0.4.2 #1140, #1170
  • open-policy-agent/opa v0.68.0 -> v0.69.0 #1152

Github Actions Updates

  • golangci/golangci-lint-action 6.1.0 -> 6.1.1 #1163
  • peter-evans/create-pull-request 7.0.3 -> 7.0.5 #1114
  • github/codeql-action 3.26.7 -> 3.26.11 #1117, #1137, #1157, #1174
  • actions/checkout 4.1.7 -> 4.2.0 #1142
  • codecov/codecov-action 4.5.0 -> 4.6.0 #1162, #1164
  • actions/cache 4.0.2 -> 4.1.0 #1179

Changelog

Contributors

anderseknert, srenatus, and 4 other contributors
Assets 8
Loading

v0.27.0

17 Sep 15:25
@github-actions github-actions
v0.27.0
f1606de
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.27.0

Debug Adapter Protocol Support

Back in #926 (v0.26.0), support was added for the Debug Adapter Protocol (DAP), based on the new OPA SDK added in #6876 (documentation). This release improves on this making it ready for consumption in clients. Namely, the addition of a new Debug Code Lens in #1103 and a bug fix for ast.ref_to_string which brings the Regal implementation inline with OPA’s (#1106).

Please see our documentation here to get started.

Screenshot 2024-09-17 at 15 01 08

Neovim DAP Support

Thanks to community member @rinx, DAP support is also available in the Neovim editor. This is based on nvim-dap, and @rinx’s own project nvim-dap-rego. This is an awesome contribution which represents an important improvement for Neovim users of Regal. Thank you Rintaro Okamura for all your work here, it is appreciated.

Screenshot 2024-09-17 at 16 04 45

New Rule: comprehension-term-assignment

This rule flags cases where an intermediate assignment is used within a comprehension body when the value can be directly used as the comprehension term. It enforces the removal of redundant assignments, encouraging more concise and readable code.

# avoid
names := [name |
    some user in input.users
    name := user.name
]

# prefer
names := [user.name | some user in input.users]

Compiler Stage Source Explorer

A new Source Action has been added to allow users of compatible clients to explore the compiler stages of the Rego code they’re working on.

By integrating opa-explorer with Regal, it’s now possible to launch a web server to view the explorer output. Users will see a "Source Action" in the context menu of Rego files, which opens the explorer for that file. This feature is currently limited to VS Code due to available commands. Currently, only a single file is loaded into the explorer for compilation.

Screenshot 2024-09-17 at 15 21 02

Source Action shown in VS Code

Screenshot 2024-09-17 at 15 22 14

Browser showing the given file's compiler explorer

Test Flake Fixes

This release contains a number of fixes for flakey tests that have been disrupting the contributor experience. If you experience flakes and re-run checks on a PR, please leave a comment to let us know so we can look into it. #1112, #1102, #1101

Changelog

Contributors

anderseknert, rinx, and 2 other contributors
Assets 8
Loading

v0.26.2

10 Sep 14:58
@github-actions github-actions
v0.26.2
6f9b32f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.26.2

This releases contains a bug fixes for an issue introduced in v0.26.0 as well as a number of other minor improvements.

Notable Bug fixes:

  • #1087 fixes an issue in the marshalling of ASTs using RoAST
  • #1056 Makes a change to no longer suggest built in functions for default rules
  • #1065 fixes an issue where git was required even when fixing in dry run mode
  • #1069 fixes an edge case in use-some-for-output-vars
  • #1078, #1080, #1083, #1085 fix issues relating to file rename updates from the client
  • #1093 addresses an issue where the fix command produced the incorrect result due to relative paths
  • #1081 ensures that .manifest files are correctly detected as 'roots' when fixing

New features:

  • #1059 updates the language server to suggest boolean values at relevant times
  • #1088 adds a new feature for rule authors to use the files from their project as input for evaluation

Changelog

Contributors

anderseknert, srenatus, and 2 other contributors
Assets 8
Loading

v0.26.1

05 Sep 08:43
@github-actions github-actions
v0.26.1
1cfdee9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.26.1

This releases contains a bug fix for an issue introduced in v0.26.0. The bug was caused by a change the required data to complete a formatting Rego 'fix'.

Changelog

Contributors

anderseknert
Assets 8
Loading

v0.26.0

04 Sep 19:12
@github-actions github-actions
v0.26.0
bf6e879
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.26.0

v0.26.0 brings 2 new linter rules to Regal, a debugger API backend, and noticeably faster linting.

Regal v0.26.0 is likely the first consumer of the new debugger API that landed in OPA v0.68.0 just last week — and in turn uses this to expose a first ever Debug Adapter Protocol (DAP) backend for Rego! Next release of the OPA VS Code extension will leverage Regal to provide developers a first-class debugging experience for Rego. Stay tuned!

Thanks to @johanfylling for tirelessly working to make this happen — in both OPA, Regal, and the OPA VS Code extension.

Rules

New rule: directory-package-mismatch

Category: idiomatic

The directory-package-mismatch rule is a first of its kind in Regal, as it reports issues in project structure rather than in code. This rule codifies an old best practice in Rego projects: the package name (path) should be mirrored in the directory structure a policy resides in. Put simply, a policy declaring package rbac.user.roles should be placed in a rbac/user/roles directory.

The directory-package-mismatch rule not only helps enforce this convention, but provides both CLI (regal fix) and editor support for fixing these issues automatically.

Note: When used on an existing project, this rule will likely result in a lot of violations being reported. While regal fix can remediate that in a matter of seconds (by moving policy files according to their package paths), make sure to commit or stash any existing changes before running it, and then review the result. Read the docs for details!

For more information, see the docs on directory-package-mismatch.

New Rule: sprintf-arguments-mismatch

Category: bugs

The new sprintf-arguments-mismatch rule checks that the formatting directives (%s, %d, etc) in a sprintf call match the supplied number arguments.

Wrong

msg := sprintf("number of issues (%d) must not be higher than %d", [count(issues)])

Correct

msg := sprintf("number of issues (%d) must not be higher than %d", [count(issues), 10])

For more information, see the docs on sprintf-arguments-mismatch.

Debug Adapter Protocol Backend

This release add support in Regal for the Debug Adapter Protocol. Similar to the language server protocol, this new functionality will support users of compatible clients to step-by-step debug their Rego projects in an interactive manner. Client implementation in the VS Code OPA extension soon to follow!

Language Server: auto-completion based on input.json

Both the OPA VS Code extension, and Regal supports placing an input.json file in the workspace and automatically have it used as input for evaluation. If found, Regal will now additionally use this to provide completion suggestions on input based on the fields found in that file. If you haven't made it a habit yet to keep an input.json file in your workspace, now is a good time to start!

New RoAST library for custom AST serialization

Regal now uses a new, custom and optimized AST format to improve the performance of Regal. The new library is integrated into Regal in this release and represents around a 50% reduction in AST JSON size, and a 25% performance improvement in linting over the previous implementation.

For more information, see the docs in the roast project repo.

Special thanks to our contributors from the community!

Changelog

Contributors

anderseknert, srenatus, and 5 other contributors
Assets 8
Loading

v0.25.0

15 Aug 13:33
@github-actions github-actions
v0.25.0
1e14d08
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.25.0

This release brings 2 new rules to the Regal linter as well as a number of improvements to the Regal Language Server.

Rules

New rule unused-output-variable

Category: bugs

In this example, if x is unused later in the rule, it is considered an unused output variable.

package policy

allow if {
    some x
    role := input.user.roles[x]

    # do something with "role", but not "x"
}

Unused output variables should be replaced by wildcards (_), as it makes it clear that the variable isn't going to be used.

For more information, see the docs on unused-output-variable.

New rule use-strings-count

Category: idiomatic

strings.count is a new OPA built-in function and should be used in place of counting indexes (count(indexof_n("foobarbaz", "a"))) as was common before.

Not only is strings.count more readable, but it also performs better.

For more information, see the docs on use-strings-count.

Other Rule Updates

The argument-always-wildcard rule will now ignore mock_ prefixed functions by default, as wildcard arguments are commonly used in mocked functions.

Linter

  • The JUnit XML output format is now a supported by regal lint. This can be used by e.g. GitLab CI/CD jobs to have linter violations printed in the code view in GitLab merge requests. Thanks @sebhoss for the work on this one!
  • Regal's version of OPA has been updated to v0.67.0, you'll need to be using this version to use the remediation for the use-strings-count rule.
  • The --var-values flag from opa test (added to OPA in v0.66.0) is now supported by the regal test command. This allows custom policy authors to see the the variable values in scope of a failed test.

Regal Language Server

Code Lens Support

Regal now provides a Code Lens for direct evaluation of packages or rules within the editor, providing immediate feedback. In supported editors, you can now evaluate a package or rule by pressing "Evaluate" above its declaration, with the results displayed in-line.

code.lens.eval.mov

Input data provided via input.json, and data.json/data.yaml files from bundle directories in the workspace are also available at evaluation time.

Improved Formatter

The language server can now be configured to use regal fix as a formatter when saving buffers. In VS Code, setting opa.formatter to regal-fix will enable this feature.

Other editors can use this by setting the initializationOptions.formatter.

New Contributors

Thanks @rinx for their work on creating the Regal Nix package! (and updating our docs) and @sebhoss for the JUnit output format.

Changelog

Contributors

sebhoss, anderseknert, and 3 other contributors
Assets 8
Loading

v0.24.0

16 Jul 17:23
@github-actions github-actions
v0.24.0
34202b5
Compare
Choose a tag to compare
v0.24.0

This release brings 4 new rules to Regal's linter as well as a number of improvements to the language server.

Rules

New Rule if-object-literal

This rule helps users avoid an error case where an object follows an if. Typically this represents an incomplete rule.

allow if {}

Read the docs on if-object-literal.

New Rule pointless-reassignment

Variables in Rego are immutable, so adding a new variable for an existing short variable only adds noise. Read the docs on pointless-reassignment.

New Rule argument-always-wildcard

Sometimes, particularly after refactoring, a function argument is always a wildcard (_):

my_func(name, _)
my_func("Alice", _)

This rule catches such cases as they typically offer an opportunity for further refactoring or an error where the argument should be used in one or more cases. Read the docs on argument-always-wildcard.

New Rule annotation-without-metadata

Rules containing METADATA annotation syntax without a METADATA header will not be parsed and represents a likely mistake.

# description: allow allows
allow if {  
	# ... some conditions  
}

Read the docs on annotation-without-metadata.

New Rule var-shadows-builtin

Variables that share the name of a built-in group or function should be renamed to avoid confusion.

# variable `http` shadows `http.send` built-in function  
allow if {  
	http := startswith(input.url, "http://")  
	# ...
}

Read the docs on var-shadows-builtin.

Regal Language Server

Snippet Completions

We have extended the support for completions to add snippets for some and every. Both key:value and collection formats are supported.

Screen.Recording.2024-07-16.at.17.31.42.mov

Example Links on Keyword and Built-in Hover

We've been building out a new documentation section called 'Rego By Example'. We have detailed guides here for some of the common keywords and built-in functions. Users can now browse directly to these from their editors by hovering over supported keywords and functions.

Screen.Recording.2024-07-16.at.17.34.05.mov

Supported:

  • Keywords some and every
  • Function Groups io.jwt, regex, time, and contains
  • (more coming soon!)

Suggestions for Variables in Local Scope

We've got lots of completions providers now, this new one suggestions previously defined local variables like this:

Screenshot 2024-07-16 at 18 02 10

Project Housekeeping

Start-up Version Check

With much work going into keeping a regular stream of updates, we felt it was important to help users stay up-to-date. In this release we have laid the groundwork for this by having Regal consult the latest releases on GitHub at startup and reporting if the current version is now outdated.

Please see Remote Features for more information and for instructions on how to disable this.

Use OSSF Scorecard

The OpenSSF Scorecard evaluates open source projects against security best practices to identify potential risks and areas for improvement. In this release we have added a workflow to scan the project on a schedule.

New Contributors

Thanks @maruloop for your first contribution to the project in #865 - and for working on this reviewdog integration for our project.

Changelog

Read more

Contributors

anderseknert, maruloop, and 3 other contributors
Assets 8
Loading