27 lines
760 B
Rego
27 lines
760 B
Rego
# METADATA
|
|
# scope: package
|
|
# title: Warn on Baselines Edit (Bash)
|
|
# description: Warns on Bash edits to tests/quality/baselines.json
|
|
# custom:
|
|
# routing:
|
|
# required_events: ["PreToolUse"]
|
|
# required_tools: ["Bash"]
|
|
package cupcake.policies.opencode.warn_baselines_edit_bash
|
|
import rego.v1
|
|
|
|
pattern := `(sed|awk|echo|cat|tee|>|>>|cp|mv).*tests/quality/baselines\.json`
|
|
|
|
deny contains decision if {
|
|
input.hook_event_name == "PreToolUse"
|
|
input.tool_name == "Bash"
|
|
|
|
command := input.tool_input.command
|
|
regex.match(pattern, command)
|
|
|
|
decision := {
|
|
"rule_id": "TEST-QUALITY-003",
|
|
"reason": "Warning: editing tests/quality/baselines.json should be avoided unless explicitly required.",
|
|
"severity": "LOW"
|
|
}
|
|
}
|