Fix YAML syntax error in generated devsecops.yml templates

templates/gitlab/go/devsecops.yml

@@ -87,6 +87,20 @@ cast-quality:
 cast-gate:
   stage: cast-gate
   image: alpine:latest
+  variables:
+    DEFAULT_REGO: |
+      package main
+
+      import future.keywords.if
+      import future.keywords.in
+
+      deny[msg] if {
+          run := input.runs[_]
+          result := run.results[_]
+          result.level == "error"
+          tool := run.tool.driver.name
+          msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+      }
   needs:
     - job: cast-secrets
       artifacts: false
@@ -112,20 +126,7 @@ cast-gate:
       #   https://github.com/castops/cast/tree/main/policy
       if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
         mkdir -p policy
-        cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+        printf '%s' "$DEFAULT_REGO" > policy/active.rego
       fi
     - |
       SARIF_FILES=""

templates/gitlab/nodejs/devsecops.yml

@@ -87,6 +87,20 @@ cast-quality:
 cast-gate:
   stage: cast-gate
   image: alpine:latest
+  variables:
+    DEFAULT_REGO: |
+      package main
+
+      import future.keywords.if
+      import future.keywords.in
+
+      deny[msg] if {
+          run := input.runs[_]
+          result := run.results[_]
+          result.level == "error"
+          tool := run.tool.driver.name
+          msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+      }
   needs:
     - job: cast-secrets
       artifacts: false
@@ -112,20 +126,7 @@ cast-gate:
       #   https://github.com/castops/cast/tree/main/policy
       if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
         mkdir -p policy
-        cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+        printf '%s' "$DEFAULT_REGO" > policy/active.rego
       fi
     - |
       SARIF_FILES=""

templates/gitlab/python/devsecops.yml

@@ -87,6 +87,20 @@ cast-quality:
 cast-gate:
   stage: cast-gate
   image: alpine:latest
+  variables:
+    DEFAULT_REGO: |
+      package main
+
+      import future.keywords.if
+      import future.keywords.in
+
+      deny[msg] if {
+          run := input.runs[_]
+          result := run.results[_]
+          result.level == "error"
+          tool := run.tool.driver.name
+          msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+      }
   needs:
     - job: cast-secrets
       artifacts: false
@@ -112,20 +126,7 @@ cast-gate:
       #   https://github.com/castops/cast/tree/main/policy
       if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
         mkdir -p policy
-        cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+        printf '%s' "$DEFAULT_REGO" > policy/active.rego
       fi
     - |
       SARIF_FILES=""

templates/go/devsecops.yml

@@ -153,26 +153,27 @@ jobs:
           tar xzf conftest.tar.gz conftest
           chmod +x conftest && sudo mv conftest /usr/local/bin/
       - name: Write default policy
+        env:
+          DEFAULT_REGO: |
+            package main
+
+            import future.keywords.if
+            import future.keywords.in
+
+            deny[msg] if {
+                run := input.runs[_]
+                result := run.results[_]
+                result.level == "error"
+                tool := run.tool.driver.name
+                msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+            }
         run: |
           # Use local policy/ directory if present; otherwise write the built-in default.
           # For strict/permissive mode, copy the desired .rego from:
           #   https://github.com/castops/cast/tree/main/policy
           if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
             mkdir -p policy
-            cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+            printf '%s' "$DEFAULT_REGO" > policy/active.rego
           fi
       - name: Evaluate policy
         run: |

templates/nodejs/devsecops.yml

@@ -153,26 +153,27 @@ jobs:
           tar xzf conftest.tar.gz conftest
           chmod +x conftest && sudo mv conftest /usr/local/bin/
       - name: Write default policy
+        env:
+          DEFAULT_REGO: |
+            package main
+
+            import future.keywords.if
+            import future.keywords.in
+
+            deny[msg] if {
+                run := input.runs[_]
+                result := run.results[_]
+                result.level == "error"
+                tool := run.tool.driver.name
+                msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+            }
         run: |
           # Use local policy/ directory if present; otherwise write the built-in default.
           # For strict/permissive mode, copy the desired .rego from:
           #   https://github.com/castops/cast/tree/main/policy
           if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
             mkdir -p policy
-            cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+            printf '%s' "$DEFAULT_REGO" > policy/active.rego
           fi
       - name: Evaluate policy
         run: |

templates/python/devsecops.yml

@@ -147,26 +147,27 @@ jobs:
           tar xzf conftest.tar.gz conftest
           chmod +x conftest && sudo mv conftest /usr/local/bin/
       - name: Write default policy
+        env:
+          DEFAULT_REGO: |
+            package main
+
+            import future.keywords.if
+            import future.keywords.in
+
+            deny[msg] if {
+                run := input.runs[_]
+                result := run.results[_]
+                result.level == "error"
+                tool := run.tool.driver.name
+                msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
+            }
         run: |
           # Use local policy/ directory if present; otherwise write the built-in default.
           # For strict/permissive mode, copy the desired .rego from:
           #   https://github.com/castops/cast/tree/main/policy
           if [ ! -d policy ] || [ -z "$(ls -A policy/*.rego 2>/dev/null)" ]; then
             mkdir -p policy
-            cat > policy/active.rego << 'REGO'
-package main
-
-import future.keywords.if
-import future.keywords.in
-
-deny[msg] if {
-    run := input.runs[_]
-    result := run.results[_]
-    result.level == "error"
-    tool := run.tool.driver.name
-    msg := sprintf("[CRITICAL] %s — %s (rule: %s)", [tool, result.message.text, result.ruleId])
-}
-REGO
+            printf '%s' "$DEFAULT_REGO" > policy/active.rego
           fi
       - name: Evaluate policy
         run: |