27 lines
650 B
Rego
27 lines
650 B
Rego
# METADATA
|
|
# scope: package
|
|
# title: Block Git --no-verify
|
|
# description: Blocks git commit --no-verify
|
|
# custom:
|
|
# routing:
|
|
# required_events: ["PreToolUse"]
|
|
# required_tools: ["Bash"]
|
|
package cupcake.policies.opencode.block_no_verify
|
|
import rego.v1
|
|
|
|
pattern := `git\s+commit\s+.*--no-verify|git\s+commit\s+--no-verify`
|
|
|
|
deny contains decision if {
|
|
input.hook_event_name == "PreToolUse"
|
|
input.tool_name == "Bash"
|
|
|
|
command := input.tool_input.command
|
|
regex.match(pattern, command)
|
|
|
|
decision := {
|
|
"rule_id": "GIT-001",
|
|
"reason": "Git commit --no-verify is prohibited.",
|
|
"severity": "HIGH"
|
|
}
|
|
}
|