27 lines
735 B
Rego
27 lines
735 B
Rego
# METADATA
|
|
# scope: package
|
|
# title: Block Makefile Edit (Bash)
|
|
# description: Blocks Bash edits to Makefile
|
|
# custom:
|
|
# routing:
|
|
# required_events: ["PreToolUse"]
|
|
# required_tools: ["Bash"]
|
|
package cupcake.policies.opencode.block_makefile_bash
|
|
import rego.v1
|
|
|
|
pattern := `(>>?\s*Makefile|sed\s+.*-i.*Makefile|sed\s+-i.*Makefile|perl\s+-[pi].*Makefile|tee\s+.*Makefile|(mv|cp)\s+\S+\s+Makefile\b|>\s*Makefile)`
|
|
|
|
deny contains decision if {
|
|
input.hook_event_name == "PreToolUse"
|
|
input.tool_name == "Bash"
|
|
|
|
command := input.tool_input.command
|
|
regex.match(pattern, command)
|
|
|
|
decision := {
|
|
"rule_id": "BUILD-001",
|
|
"reason": "Makefile edits are prohibited.",
|
|
"severity": "HIGH"
|
|
}
|
|
}
|