diff --git a/templates/gitlab/go/devsecops.yml b/templates/gitlab/go/devsecops.yml index b51280c..d159f3f 100644 --- a/templates/gitlab/go/devsecops.yml +++ b/templates/gitlab/go/devsecops.yml @@ -87,6 +87,20 @@ cast-quality: cast-gate: stage: cast-gate image: alpine:latest + variables: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } needs: - job: cast-secrets artifacts: false @@ -112,20 +126,7 @@ cast-gate: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - | SARIF_FILES="" diff --git a/templates/gitlab/nodejs/devsecops.yml b/templates/gitlab/nodejs/devsecops.yml index f47d3d1..ec2909d 100644 --- a/templates/gitlab/nodejs/devsecops.yml +++ b/templates/gitlab/nodejs/devsecops.yml @@ -87,6 +87,20 @@ cast-quality: cast-gate: stage: cast-gate image: alpine:latest + variables: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } needs: - job: cast-secrets artifacts: false @@ -112,20 +126,7 @@ cast-gate: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - | SARIF_FILES="" diff --git a/templates/gitlab/python/devsecops.yml b/templates/gitlab/python/devsecops.yml index 9d4f63a..e1de741 100644 --- a/templates/gitlab/python/devsecops.yml +++ b/templates/gitlab/python/devsecops.yml @@ -87,6 +87,20 @@ cast-quality: cast-gate: stage: cast-gate image: alpine:latest + variables: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } needs: - job: cast-secrets artifacts: false @@ -112,20 +126,7 @@ cast-gate: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - | SARIF_FILES="" diff --git a/templates/go/devsecops.yml b/templates/go/devsecops.yml index 523a6da..b4c2f54 100644 --- a/templates/go/devsecops.yml +++ b/templates/go/devsecops.yml @@ -153,26 +153,27 @@ jobs: tar xzf conftest.tar.gz conftest chmod +x conftest && sudo mv conftest /usr/local/bin/ - name: Write default policy + env: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } run: | # Use local policy/ directory if present; otherwise write the built-in default. # For strict/permissive mode, copy the desired .rego from: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - name: Evaluate policy run: | diff --git a/templates/nodejs/devsecops.yml b/templates/nodejs/devsecops.yml index 0f3f5af..08ff37f 100644 --- a/templates/nodejs/devsecops.yml +++ b/templates/nodejs/devsecops.yml @@ -153,26 +153,27 @@ jobs: tar xzf conftest.tar.gz conftest chmod +x conftest && sudo mv conftest /usr/local/bin/ - name: Write default policy + env: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } run: | # Use local policy/ directory if present; otherwise write the built-in default. # For strict/permissive mode, copy the desired .rego from: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - name: Evaluate policy run: | diff --git a/templates/python/devsecops.yml b/templates/python/devsecops.yml index 28d8c27..1dbc05a 100644 --- a/templates/python/devsecops.yml +++ b/templates/python/devsecops.yml @@ -147,26 +147,27 @@ jobs: tar xzf conftest.tar.gz conftest chmod +x conftest && sudo mv conftest /usr/local/bin/ - name: Write default policy + env: + DEFAULT_REGO: | + package main + + import future.keywords.if + import future.keywords.in + + deny[msg] if { + run := input.runs[_] + result := run.results[_] + result.level == "error" + tool := run.tool.driver.name + msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) + } run: | # Use local policy/ directory if present; otherwise write the built-in default. # For strict/permissive mode, copy the desired .rego from: # https://github.com/castops/cast/tree/main/policy if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then mkdir -p policy - cat > policy/active.rego << 'REGO' -package main - -import future.keywords.if -import future.keywords.in - -deny[msg] if { - run := input.runs[_] - result := run.results[_] - result.level == "error" - tool := run.tool.driver.name - msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId]) -} -REGO + printf '%s' "$DEFAULT_REGO" > policy/active.rego fi - name: Evaluate policy run: |