add rule to require pre-commit to be added to github actions

Co-authored-by: Giuseppe Scuglia <peppescg@gmail.com>

Author: kantord

profiles/github/dependabot_ghactions.yaml

@@ -9,7 +9,7 @@ context:
 alert: "off"
 remediate: "off"
 repository:
-  - type: dependabot_configured
+  - type: pre_commit_github_action
     def:
       package_ecosystem: github-actions
       schedule_interval: daily

rule-types/github/pre_commit_github_action.test.yaml

@@ -0,0 +1,13 @@
+tests:
+  - name: "Should have pre-commit enabled"
+    def: {}
+    params: {}
+    expect: "pass"
+    git:
+      repo_base: good
+  - name: "Should not have pre-commit enabled"
+    def: {}
+    params: {}
+    expect: "fail"
+    git:
+      repo_base: bad

rule-types/github/pre_commit_github_action.testdata/bad/.github/workflows/checks.yaml

@@ -0,0 +1,21 @@
+name: NodeJS with Gulp
+'on':
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version-file: package.json
+    - name: Build
+      run: |
+        npm install
+        gulp

rule-types/github/pre_commit_github_action.testdata/bad/.workflows/checks.yaml

@@ -0,0 +1,21 @@
+name: NodeJS with Gulp
+'on':
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Use Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version-file: package.json
+    - name: Build
+      run: |
+        npm install
+        gulp

rule-types/github/pre_commit_github_action.testdata/good/.github/workflows/checks.yaml

@@ -0,0 +1,30 @@
+name: NodeJS with Gulp
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-versiodn: [18.x, 20.x, 22.x]
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: pre-commit/action@v3.0.1
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v3
+      with:
+        node-version-file: "package.json"
+        node-versiosdn: ${{ matrix.node-version }}
+
+    - name: Build
+      run: |
+        npm install
+        gulp

rule-types/github/pre_commit_github_action.yaml

@@ -0,0 +1,41 @@
+---
+version: v1
+release_phase: alpha
+type: rule-type
+name: pre_commit_github_action
+display_name: Require running `pre-commit` using GitHub Actions
+short_failure_message: "`https://github.com/pre-commit/action` action is not configured"
+severity:
+  value: medium
+context: {}
+description: |
+  Verifies that `pre-commit` is configured via a GitHub action for the repository.
+guidance: |
+  Run your `pre-commit` checks in GitHub Actions as well.
+def:
+  in_entity: repository
+  rule_schema:
+    type: object
+    properties: {}
+  ingest:
+    type: git
+    git: {}
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+        
+        import rego.v1
+        actions := github_workflow.ls_actions("./.github/workflows")
+        default message := "pre-commit GitHub action is not configured"
+        default allow := false
+        allow if {
+          print(actions)
+          "pre-commit/action" in actions
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}