logo

Reposaur

go-reportlicensediscussionsslacktwitter

Reposaur is the open source compliance tool for development platforms.

Audit, verify and report on your data and configurations easily with pre-defined and/or custom policies.
Supports GitHub. GitLab, BitBucket and Gitea support soon.

From 0.7.0 onwards, policies namespaces must be prefixed with a provider name. For example, policies with the repository namespace are now github.repository. This change allows new providers to be added easily without namespaces colliding.

Quick Start

See also our Writing your first policy guide for a more in-depth walkthrough.

  1. Install the CLI in your machine (see Installation for available options)
  2. Write your first policy:
# ./repository.rego
package github.repository


innersource_files := ["README.md", "CONTRIBUTING.md", "LICENSE"]


# METADATA
# title: Repository is not InnerSource ready
# description: |-
#   InnerSource repositories (that have the `innersource` topic) must have all of
#   these files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one
#   of them is missing.
note_not_innersource_ready {
	# check if repository has the innersource topic
	input.topics[_] == "innersource"


	# fetch all the root files
	resp := github.request("GET /repos/{owner}/{repo}/contents", {
		"owner": input.owner.login,
		"repo": input.name,
	})


	# count how many of the files belong to the required files list
	total_innersource_files = count([f | f := resp.body[_].name == innersource_files[_]; f])


	# if the total files differs from the total required files the repository
	# is missing some of them and is not InnerSource ready
	total_innersource_files != count(innersource_files)
}
  1. Execute the policy against a repository:
$ gh api /repos/reposaur/test | rsr exec

The following SARIF report will be outputted:

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "informationUri": "https://github.com/reposaur/reposaur",
          "name": "Reposaur",
          "rules": [
            {
              "id": "github.repository/note/not_innersource_ready",
              "name": "Repository is not InnerSource ready",
              "shortDescription": {
                "text": "Repository is not InnerSource ready"
              },
              "fullDescription": {
                "text": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing.",
                "markdown": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing."
              },
              "help": {
                "markdown": "InnerSource repositories (that have the `innersource` topic) must have all of\nthese files: `README.md`, `CONTRIBUTING.md` and `LICENSE`, and at least one\nof them is missing."
              },
              "properties": {
                "security-severity": "1"
              }
            }
          ]
        }
      },
      "results": [
        {
          "ruleId": "github.repository/note/not_innersource_ready",
          "ruleIndex": 0,
          "level": "note",
          "message": {
            "text": "Repository is not InnerSource ready"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "."
                }
              }
            }
          ]
        }
      ],
      "properties": {
        "default_branch": "main",
        "owner": "reposaur",
        "repo": "test"
      }
    }
  ]
}