v0.32.0

This release adds 3 new linter rules to Regal, as well as many improvements and fixes.

New Rule: redundant-loop-count

A loop iterating over empty collections evaluates to nothing, and counting the collection before the loop to ensure it's not empty is therefore redundant. This rule catches cases where this check is not needed. (Read more)

package policy

allow if {
    # redundant count and > comparison
    count(input.user.roles) > 0

    some role in input.user.roles
    # .. do more with role ..
}

PR #1452.

New Rule: import-shadows-rule

This new rule catches cases where users have named rules the same as an import. Imported identifier have higher precedence than rules and this can lead to confusing behaviours. (Read more)

package policy

import data.resources

# 'resources' shadowed by import 
resources contains resource if {
    # ...
}

PR #1450.

Thanks @kroekle for suggesting this rule!

New Rule: time-now-ns-twice

This new rule will catch cases where time.now_ns() is called multiple times within a single rule. This does not work in Rego since both calls will return the same value. This rule catches this case early and directs users to read about more appropriate tools. (Read more)

package policy

timed if {
    now := time.now_ns()
    # do some work here
    # this doesn't work! result is always 0
    print("work done in:", time.now_ns() - now, "ns)
}

PR #1457.

Other Rule Updates

• >, >=, <, <= operators added to the style/yoda-condition rule (#1454).
• Fixed a false positive in the performance/non-loop-expression rule (#1438).
• Ignored tests in style/messy-rule (#1449).

OPA v1.2.0

While this may not seem too exciting, OPA v1.2.0 contains some performance improvements that has quite a substantial impact on Regal. We know, because we made those improvements in OPA largely to speed up Regal's linting! v0.32.0 should be considerably faster than previous versions, which should be noticeable in large policy projects in particular.

Language Server

In the language server, we addressed two bugs relating to the fixing of the idiomatic/directory-package-mismatch rule. See #1427 & #1432.

Dependencies

Go Mod:

• github.com/go-git/go-git/v5 v5.13.2 -> v5.14.0
• github.com/google/go-cmp v0.6.0 -> v0.7.0
• github.com/open-policy-agent/opa v1.1.0 -> v1.2.0
• github.com/spf13/cobra v1.8.1 -> v1.9.1

GitHub Actions:

• actions/cache v4.2.1 -> v4.2.3
• actions/setup-go v5.3.0 -> v5.4.0
• actions/upload-artifact v4.6.1 -> v4.6.2
• codecov/codecov-action v5.3.1 -> v5.4.0
• github/codeql-action/analyze v3.28.10 -> v3.28.12
• github/codeql-action/autobuild v3.28.10 -> v3.28.12
• github/codeql-action/init v3.28.10 -> v3.28.12
• github/codeql-action/upload-sarif v3.28.10 -> v3.28.12
• golangci/golangci-lint-action v6.5.0 -> v7.0.0
• peter-evans/create-pull-request v7.0.7 -> v7.0.8

See #1453, #1442, #1435, #1426, #1422 and #1423 for PRs making the above updates. golangci-lint v2 update in #1455. OPA 1.2 update in #1429.

New Users

• mise via its aqua backend and aqua's regal definition added in #1437.

Add yourself to docs/adopters.md to get here next time!

New Contributors

• @jalseth made their first contribution in #1430

Changelog

• 253207c: docs: Add debug code lens to LS docs (#1421) (@charlieegan3)
• 9981393: build(deps): bump the dependencies group with 4 updates (#1422) (@dependabot[bot])
• 5f1be97: build(deps): bump the dependencies group with 2 updates (#1423) (@dependabot[bot])
• 58f9c79: [create-pull-request] automated change (#1424) (@github-actions[bot])
• 26b9cb1: build(deps): bump the dependencies group with 2 updates (#1426) (@dependabot[bot])
• c1ac66c: lsp: Correct path when fixing dir package mismatch (#1427) (@charlieegan3)
• 62cba31: lsp: Ensure rename target is within workspace root (#1432) (@charlieegan3)
• bd21ef1: OPA v1.2.0 (#1429) (@anderseknert)
• 7bb7cb2: test: fix deadline exceeded test issue in GitHub runners (#1433) (@anderseknert)
• f01af9c: [create-pull-request] automated change (@charlieegan3)
• b5422fb: adopters: mention mise+aqua (#1437) (@srenatus)
• 9ccd217: build(deps): bump golang.org/x/net from 0.35.0 to 0.36.0 (#1435) (@dependabot[bot])
• be88d57: Fix non-loop-expression false positive (#1438) (@anderseknert)
• 52e1a39: build: Make novelty package opt-in (#1430) (@jalseth)
• 1bc309c: [create-pull-request] automated change (@charlieegan3)
• 644a554: [create-pull-request] automated change (@srenatus)
• 4e5bff7: docs: Update slack inviter link (#1441) (@charlieegan3)
• a00e950: build(deps): bump golangci/golangci-lint-action (#1442) (@dependabot[bot])
• 455e1bc: Ignore tests in messy-rule (#1449) (@anderseknert)
• d3e144d: Rule: import-shadows-rule (#1450) (@anderseknert)
• 74a9f3f: Rule: redundant-loop-count (#1452) (@anderseknert)
• a36f32b: Add >, >=, <, <= to yoda-condition rule (#1454) (@anderseknert)
• 5ea70b6: build(deps): bump the dependencies group with 5 updates (#1453) (@dependabot[bot])
• 6b54316: Rule: time-now-ns-twice (#1457) (@anderseknert)
• fe6de2e: golangci-lint v2 (#1455) (@anderseknert)

v0.31.1

This patch release fixes some issues reported by users, as well as some encountered while working on Regal. Most notably:

• Fix issue where an absolute path to the config file wouldn't work on Windows (thanks @geirs73 for reporting this!)
• Fix issue where configured ignore values had no effect if Regal ran from the root directory (thanks @nevumx for the issue!)
• Fix issue in language server when files with : in their name are present in the workspace
• Fix issue in language server where Code Lens annotations (like Evaluate and Debug) would appear and reappear quickly when parse errors where encountered and fixed, leading to a "flickering" editor window

Changelog

• dcecdab: docs: Use strings for non-loop expression role (#1409) (@charlieegan3)
• c09bc93: docs: Make editor support link clearer in README (#1411) (@charlieegan3)
• 3177417: build(deps): bump the dependencies group with 2 updates (#1413) (@dependabot[bot])
• f472f40: Bump Go to 1.23, and replace archived dependency (#1410) (@anderseknert)
• 772aeb0: cmd/lint: Fix windows Abs path handling (#1416) (@charlieegan3)
• 48e2ef9: build(deps): bump the dependencies group with 5 updates (#1417) (@dependabot[bot])
• eeec210: lint: Handle root filesystem root prefix (#1418) (@charlieegan3)
• 25bde5a: lsp: URI/Path handling fixes (#1419) (@charlieegan3)
• 4fd08cb: lsp: Fix Code Lenses jank (#1420) (@charlieegan3)

v0.31.0

This release of Regal updates to OPA v1.1.0, continuing to solidify support for v1 Rego with some nice new rules, performance improvements and bug fixes too.

New Rule: use-object-keys

There are some cases where using object.keys is preferred over using comprehensions. For example:

Avoid

package policy

keys := {k | some k, _ in input.object}

Prefer

package policy

keys := object.keys(input.object)

This is preferred as it more clearly communicates the intent of the code, that is, to get the keys of the object rather than loop over it and collect the keys as you go. More details can be found on the use-object-keys rule page.

New Rule: non-loop-expression

Expressions in loops are evaluated in each iteration of the loop and so it's advisable to avoid using expressions which do not depend on the loop variable within the looping part of a rule in order to improve performance.

Avoid

package policy
allow if {
    some email in input.emails
    admin in input.roles # <- this is not required in the loop
    endswith(email, "@example.com")
}

Prefer

package policy
allow if {
    admin in input.roles # <- moved out of the loop
    some email in input.emails
    endswith(email, "@example.com")
}

This rule can't catch all cases, so still be on the look out. More details can be found on the non-loop-expression rule page.

Fixing non-raw-regex-pattern

The non-raw-regex-pattern rule can now be automatically fixed with regal fix or with a CodeAction for language server clients. #1382

Configuration File Loading

Regal will now use a ~/.config/regal if no parent configuration is found. This is useful when working on Rego in temporary directories. #1378

Regal's language server will now use configuration files in the workspace tree if they exist rather than only looking at parent directories. This more closely matches the behavior of the lint command. #1372

Notable Improvements

• Avoid 'error' paths in our linting Rego to reduce allocations. #1351, #1360, #1374
• Implement the opa-fmt rule using in Rego, removing the need for a Go rule
  linting path entirely. #1393
• More consistently use shared functions and remove dead code to make Regal easier to maintain. #1349,
  #1392, #1383, #1379, #1358, #1356, #1355
• @anaypurohit0907 made their first PR in #1369 adding a new summary to the end of the compact report showing the number of files and violations. Also, #1387 adds a similar improvement to the end of the default 'Pretty' reporter output breaking down errors and warnings.
• Documentation for the deprecated-builtin rule now explains the upgrade process. #1366, thanks @tsandall for the suggestion!

Notable Fixes & Updates

• The use-if rule will now use only the rule name as the violation location, rather than the whole rule. #1362
• Parse errors are now shown in file diagnostics to language server clients
  after a regression. #1408
• @jglasovic made their first PR in #1345
  fixing a bug where the Debug CodeLens was left enabled.
• Better handling of .regal.yaml file use. #1357, thanks @grosser for the input here.
• Some great new open source adopters! #1384, thanks @chendrix for the Regal amigurumi!

Changelog

• 1eff70a: fix: lsp - filter out regal.debug codelens (#1345) (@jglasovic)
• 93faa40: [create-pull-request] automated change (@charlieegan3)
• 193224a: [create-pull-request] automated change (@charlieegan3)
• 434dabf: build(deps): bump golangci/golangci-lint-action (#1350) (@dependabot[bot])
• d7f522e: Add workspace folder type, and "support" that capability (#1347) (@anderseknert)
• a5d1742: Language server refactoring (#1349) (@anderseknert)
• 7b693ee: perf: move config check out of loop (#1351) (@anderseknert)
• d9749f4: lsp: Ensure parse errors are saved as diagnostics correctly (#1352) (@charlieegan3)
• bea7398: Fix missing annotations in LSP parsing (#1354) (@anderseknert)
• 0a17534: chore: Use regal's parse options following (#1355) (@charlieegan3)
• 760b484: fix: Remove mandatory fixes (#1356) (@charlieegan3)
• 2b25493: config: Search for .regal.yaml and use for roots (#1357) (@charlieegan3)
• 6880526: Remove custom Ref stringer (#1359) (@anderseknert)
• 0d506bb: refactor: better use of test helpers (#1358) (@anderseknert)
• b29ad44: perf: always include ignore_files in data (#1360) (@anderseknert)
• 856bf50: The compact output format should include a summary #1364 (#1369) (@anaypurohit0907)
• 9020000: Some style fixes (#1370) (@anderseknert)
• f78f94b: fix: better location reporting in use-if rule (#1362) (@anderseknert)
• 1175266: docs: deprecated built-in replacements (#1366) (@anderseknert)
• 33408e5: Add optional govet checks (#1368) (@anderseknert)
• 1db229a: Small fixes (#1367) (@anderseknert)
• 6430f86: build(deps): bump the dependencies group with 3 updates (#1371) (@dependabot[bot])
• 14cbc3b: Bump OPA to v1.1.0 (#1373) (@anderseknert)
• e1247ea: Don't return error from regal.last (#1374) (@anderseknert)
• 0e794a2: lsp: Use nested workspace configuration if found (#1372) (@charlieegan3)
• d41c3da: [create-pull-request] automated change (#1376) (@github-actions[bot])
• 1f9e2e4: Use .Keys() and .KeysSorted() from OPA (#1379) (@anderseknert)
• a295fef: config: Use global user config if required (#1378) (@charlieegan3)
• 1a3fcfb: linter: Show error if rule or category is invalid (#1381) (@charlieegan3)
• 0e38b37: Add a few more adopters (#1384) (@anderseknert)
• cb81676: build(deps): bump the dependencies group with 2 updates (#1385) (@dependabot[bot])
• 4777c2b: build(deps): bump github/codeql-action in the dependencies group (#1386) (@dependabot[bot])
• be9bc33: fix: non-raw regex pattern (#1382) (@charlieegan3)
• 13a4980: lsp: Add statsviz for profiling visuals (#1388) (@charlieegan3)
• ba53d75: Consistently use new Set type (#1383) (@anderseknert)
• 4347b8a: lsp/test: Error in test should be log instead (#1389) (@charlieegan3)
• 8c15f1c: [create-pull-request] automated change (@charlieegan3)
• a283bee: Remove unused fixer code (#1392) (@anderseknert)
• 194116f: Rego-based opa-fmt (#1393) (@anderseknert)
• 69e3756: Be specific about number of errors vs warnings in regal lint summary #821 (#1387) (@anaypurohit0907)
• 48c9e5e: Some minor cleanups in reporter code (#1397) (@anderseknert)
• a4e3592: Fix false positive in unused-output-variable (#1398) (@anderseknert)
• c75d66f: Rule: use-object-keys (#1399) (@anderseknert)
• 52c7c9b: refactor: simplify data bundle creation (#1400) (@anderseknert)
• 3e6ef5b: [create-pull-request] automated change (#1402) (@github-actions[bot])
• 674e441: lsp: update log messages for root dir note (#1395) (@charlieegan3)
• 76e0760: build(deps): bump the dependencies group with 2 updates (#1404) (@dependabot[bot])
• c6d1a9d: Roast v0.8.1 (#1406) (@anderseknert)
• 539ba39: bundle: Add non-loop-expression rule (#1401) (@charlieegan3)
• 06af4df: lsp: Correctly parse eval and debug params (#1407) (@charlieegan3)
• b29e759: lsp: show parse errors in diagnostics (#1408) (@charlieegan3)

v0.30.2

This release includes a fix for an issue where a missing Regal dir would cause a fatal error when running regal fix (#1341), thanks @grosser for the report again.

Also included is an a fix for an issue where Regal would template files without a Regal extension after renaming them from a Rego file.

Changelog

• df90dec: lsp: ignore after rename if not Rego (#1340) (@charlieegan3)
• 2c6ee8e: fix: add error based on expected regal dir (#1343) (@charlieegan3)

v0.30.1

Regal v0.30.1 is a patch release following the significant v0.30.0 release with first class OPA v1.0.0 support. This patch release addresses some issues discovered in the language server relating to the OPA update as well as a minor new feature.

New options for Regal config location

In addition to the .regal/config.yaml path we've used thus far, it's now possible to use a .regal.yaml instead. This is intended to be used by those preferring a single file rather than a dedicated directory. The config directory will still be required for users with custom rules. It is not possible to use $root/.regal/config.yaml and $root/.regal.yaml in the same directory at the same time. Regal will still use the config file nearest the root in the directory hierarchy, even if they are of different types. Thanks to @grosser for the suggestion!

Changelog

• lsp/completions: Reorder for cheap rego.v1 check by @charlieegan3 in #1335
• docs: opa-fmt v1/v0 notes by @charlieegan3 in #1336
• tidy: Use cmp.Or in a few places by @charlieegan3 in #1337
• Upgrade Roast to v0.6.0 by @anderseknert in #1338
• lsp: Rename correctly when conflicting by @charlieegan3 in #1334
• config: Allow loading of .regal.yaml file too by @charlieegan3 in #1339

Full Changelog: v0.30.0...v0.30.1

v0.30.0

Regal v0.30.0 is the first release to fully support OPA 1.0 while at the same time being fully compatible with older versions of OPA and Rego. This process helped improve both Regal and OPA, as a few things to fix in both projects got identified along the way!

Full support for OPA 1.0, while maintaining compatibility with earlier versions

Regal now seamlessly supports working with both pre-1.0 and 1.0+ policies, or even a mix of both! See Regal's new documentation on OPA 1.0 to learn more about how to get the most out of Regal when working with Rego of any version.

As part of this upgrade, all the Regal docs have now been updated to use OPA/Rego 1.0 syntax, in examples and anywhere else Rego is used.

Finally, and perhaps needless to say — Regal itself and all of its linter policies are now upgraded to OPA 1.0!

Much Faster Linting

A mission that started out with the goal of improving the performance of Regal's linter, ended up with multiple PR's
to improve evaluation performance in OPA. This of course benefits not just Regal, but all users of OPA! However, since
the regal lint command was used for benchmarking, most optimizations have been along the hot path of that command.

Linting with Regal is now almost 2x as fast as before, while consuming 2/3 of the memory previously needed. And we have
more improvements lined up in OPA for the next release, so stay tuned!

Notable Improvements

• The evaluation code lens now supports using an input.yaml file as input, in addition to input.json. Thanks @mrgadgil for suggesting this feature!
• The redundant-existence-check rule now also reports redudant checks of function arguments
• New InputFromTextWithOptions functions for users of the Go API
• Faster evaluation by avoiding custom function calls in hot path
• Reduced time to evaluation by performance improvements in Roast input conversion
• The language server now logs the version of Regal and the path to the binary at startup, helping users know which Regal binary is being used

Notable Fixes

• Fixed issue where --force wasn't honored by regal fix. Thanks @grosser for reporting that!
• Fixed false positive in pointless-reassignment rule
• Fixed false positive in top-level-iteration rule
• Fixed false positive in external-reference rule. Thanks @tsandall for reporting the issue!
• The evaluate code lens now works even when input.json/input.yaml isn't found
• Improved docs for directory-package-mismatch
• Fixed nil dereference in JUnit reporter. Thanks @OhMyGuus for reporting the issue!

Changelog

• 5b7d423: build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.0 (#1263) (@dependabot[bot])
• 99752a0: build(deps): bump github/codeql-action from 3.27.3 to 3.27.4 (#1264) (@dependabot[bot])
• f078127: build(deps): bump codecov/codecov-action from 5.0.0 to 5.0.2 (#1268) (@dependabot[bot])
• c8a0329: lsp: Use notify for sending messages (#1267) (@charlieegan3)
• abd9504: build(deps): bump cross-spawn from 7.0.3 to 7.0.5 in /build (#1266) (@dependabot[bot])
• acd22f7: Add support for using input.yaml in Evaluate code lens (#1269) (@anderseknert)
• 183584a: build(deps): bump codecov/codecov-action from 5.0.2 to 5.0.4 (#1270) (@dependabot[bot])
• 6716d37: Less frequent, and grouped dependabot updates (#1271) (@anderseknert)
• aa65332: build(deps): bump smol-toml from 1.3.0 to 1.3.1 in /build (#1272) (@dependabot[bot])
• 34ba147: build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 (#1274) (@dependabot[bot])
• f61f52b: build(deps): bump codecov/codecov-action from 5.0.4 to 5.0.7 (#1273) (@dependabot[bot])
• 46d913b: rules: Add InputFromTextWithOptions for go users (#1278) (@charlieegan3)
• 2d6b61c: Fix issue where --force wasn't honored in git check (#1282) (@anderseknert)
• da251c9: Enable a few more golangci-lint rules (#1280) (@anderseknert)
• 87c2ff3: Have redundant-existence-check include function args (#1279) (@anderseknert)
• 0a88ab3: Fix false positive in top-level-assignment (#1287) (@anderseknert)
• c0ac18f: Fix false positive in pointless-reassignment (#1286) (@anderseknert)
• 8759f08: Fix false positive in external-reference and vars in composite values (#1284) (@anderseknert)
• 0db5b5f: Avoid allocations by not calling custom functions on hot path (#1289) (@anderseknert)
• 69b43a8: build(deps): bump github/codeql-action from 3.27.5 to 3.27.6 (#1292) (@dependabot[bot])
• 981ac1d: build(deps): bump actions/cache from 4.1.2 to 4.2.0 (#1291) (@dependabot[bot])
• bc46bd6: build(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 (#1290) (@dependabot[bot])
• 668950a: dev: Fix golangci-lint reporting issues in ignored files in VS Code (#1296) (@anderseknert)
• 36a72d4: Roast v0.5.0, faster input conversion (#1293) (@anderseknert)
• 8a096a1: build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 (#1297) (@dependabot[bot])
• 9102b94: Evaluate should work even when input missing (#1295) (@anderseknert)
• 00e5341: dev: Fix integration test that used old URL for capabilities (#1304) (@anderseknert)
• 8d0d888: docs: add note about roots in directory-package-mismatch rule (#1303) (@charlieegan3)
• 44182c7: build(deps): bump github/codeql-action from 3.27.6 to 3.27.9 (#1301) (@dependabot[bot])
• d3d096d: build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (#1302) (@dependabot[bot])
• 7f8e54d: [create-pull-request] automated change (@charlieegan3)
• 748c2e8: Fix nil pointer dereference in JUnit reporter (#1307) (@anderseknert)
• 0673c09: hints: remove tail anchor for multiple-default-rules hint (#1314) (@srenatus)
• bac6333: build(deps): bump github/codeql-action from 3.27.9 to 3.28.0 (#1311) (@dependabot[bot])
• cc08ab1: build(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 (#1309) (@dependabot[bot])
• 46c5205: build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 (#1310) (@dependabot[bot])
• fb3ac2e: build(deps): bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (#1312) (@dependabot[bot])
• 550d05c: build(deps): bump github.com/go-git/go-git/v5 in the dependencies group (#1313) (@dependabot[bot])
• e31c132: dependabot: Update GHA dependencies in groups (#1315) (@charlieegan3)
• 4459436: build(deps): bump github.com/go-git/go-git/v5 in the dependencies group (#1316) (@dependabot[bot])
• 34f9827: Use concurrent map implementation (#1318) (@anderseknert)
• 2d7753f: tests: Skip server multi file test (#1320) (@charlieegan3)
• 6fecf4c: Add new blog! (#1308) (@anderseknert)
• b909a5c: [create-pull-request] automated change (@charlieegan3)
• d445931: cmd/languageserver: Log path & version at startup (#1326) (@charlieegan3)
• 4434de2: [create-pull-request] automated change (#1330) (@github-actions[bot])
• cf1632a: build(deps): bump the dependencies group with 2 updates (#1331) (@dependabot[bot])
• d569e50: Prepare for OPA 1.0 (#1317) (@anderseknert)
• 75b57bb: build(deps): bump actions/upload-artifact in the dependencies group (#1332) (@dependabot[bot])
• 351b5bb: Update badge to 1.0.0 (#1333) (@anderseknert)

v0.29.2

This patch release fixes an issue where the new defer-assignment rule would sometimes report a false positive when the variable was used inside of a with clause on the next line.

Thanks @nevumx for reporting the issue!

Changelog

• 7e74d12: [create-pull-request] automated change (#1261) (@github-actions[bot])
• 20a5cfa: Fix false positive in defer-assignment and with (#1262) (@anderseknert)

v0.29.1

This patch release fixes an issue where custom (i.e. user-created) aggregate rules¹. wouldn't work as expected when the condition for a violation was the absence of aggregated data. This could for example be a rule that says "at least one rule must be named allow, and it must have a default assignment to false".

Upgrading from v0.29.0 is not required unless you're writing custom Regal rules.

Many thanks to @shibataka000 for reporting the issue, and in such an exemplary way ⭐

Changelog

• 0c6e8ed: build(deps): bump github/codeql-action from 3.27.2 to 3.27.3 (#1258) (@dependabot[bot])
• 743a65b: Fix custom rules that report on the absence of aggregates (#1260) (@anderseknert)

1. scroll below the table of rules for an explanation of what aggregate rules are ↩

v0.29.0

This is a big release, spanning more than a month of development! Regal v0.29.0 brings new linter rules, performance improvements and new features to both the linter and the language server.

New rules

defer-assignment

Category: performance

The new defer-assignment rule helps detect when assignment can be moved to later in the rule body, possibly avoiding it at all if the conditions below don’t evaluate.

allow if {
    # this assignment can be deferred to after the roles check
    resp := http.send({"method": "get", "url": "http:localhost"})
    
    "rego hacker" in input.user.roles
    
    resp.status_code == 200
}

This can improve performance by having less to evaluate, and it makes policies easier to read. Double win!

For more information, see the docs on defer-assignment.

walk-no-path

Category: performance

When using the walk built-in function on large data structures, traversing only the values without building a path to each node can save a considerable amout of time. The new walk-no-path rule will detect when the assigned path is unused and can be replaced by a wildcard variable, which tells OPA to skip the construction of the path. This dramatically improves the performance of the function.

found if {
    # path assigned but never referenced in the rule
    walk(haystack, [path, value])

    value == "needle"
}

# should be replaced by

found if {
    walk(haystack, [_, value])

    value == "needle"
}

For more information, see the docs on walk-no-path.

rule-assigns-default

Category: bugs

Assigning a rule the same value as the default value set for the rule is always a bug, and while hopefully not too common, now reported by Regal.

default threshold := 1

threshold := 0 if {
    # some conditions
}

# this is already the default condition!
# and having this removed will have no impact on how
# the rule evaluates.. don't do this!
threshold := 1 if {
    # some conditions
}

For more information, see the docs on rule-assigns-default.

Language Server

Evaluation Code Lens for Neovim

We were exicted to learn the Code Lens for Evaluation (“click to evaluate”) feature we built now works not only in VS Code but also in Neovim. This thanks to work by regular contributor @rinx. Thank you! The language server docs have now been updated to reflect this.

Improved Enterprise OPA integration

Setting the capabilities engine to eopa will now have the language sever recognize Enterprise OPA-specific built-in functions, and provide both auto-completions for those as well as informative tooltips on hover. Clicking links in the tooltip now correctly brings you to the Styra docs for the Enterprise OPA built-in functions.

Notable Improvements

• The leaked-internal-reference rule is now ignored in tests by default. See the docs for this rule if you wish to enable this.
• The prefer-snake-case rule now also reports violations in package names.
• The same prepared query is now used both for linting and to collect data for aggregate rules, saving about 150 milliseconds for any given regal lint run.
• Regal’s own capabilities and provided configuration is now available when running the evaluation code lens, simplifying development of custom rules.
• The pretty reporting format will now print the severity level of a violation when no color support is detected in the terminal (reported by @geirs73)
• The --instrument flag from opa eval is now supported also by regal lint, providing detailed information about where most time is spent while linting.

Notable Fixes

• Using input.json for the evaluation code lens now works reliably on Windows. As does ourcing a capabilities.json file from the filesystem. Thanks to @geirs73 for reporting these issues!
• Global ignore directives from .regal/config.yaml would sometimes be parsed differently depending on read by regal lint or the language server. This has now been fixed.
• Fix false positive in inconsistent-args rule when an arity mismatch should rather be handled by the compiler. Thanks @tsandall for reporting that!
• Fix a false positive in use-contains rule when not importing rego.v1. This turned out to be an issue originating in OPA, so we fixed it there, and later included in Regal by upgrading the dependency to the latest OPA version v0.70.0. Thanks @drewcorlin1 for reporting the issue!

Changelog

• 0af7c91: Scorecard updates (#1182) (@charlieegan3)
• 24f0fd7: Use defer to unlock mutex (#1186) (@anderseknert)
• da12bd0: build(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 (#1185) (@dependabot[bot])
• a238a85: build(deps): bump github/codeql-action from 3.26.11 to 3.26.12 (#1184) (@dependabot[bot])
• 03564f8: build(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#1183) (@dependabot[bot])
• afce347: lsp: Update rego-by-examples index (#1181) (@github-actions[bot])
• e3fa956: linter: use a buffered error channel (#1187) (@charlieegan3)
• 1dbfc7e: lsp: enable levelled logging (#1188) (@charlieegan3)
• c5cee41: build(deps): bump actions/upload-artifact from 4.4.1 to 4.4.2 (#1190) (@dependabot[bot])
• 6663839: build(deps): bump actions/cache from 4.1.0 to 4.1.1 (#1189) (@dependabot[bot])
• 3b7530a: Add UNIwise company to adopters.md (#1191) (@Graloth)
• 95f4abf: lsp: Update rego-by-examples index (#1193) (@github-actions[bot])
• 0cf7506: build(deps): bump actions/upload-artifact from 4.4.2 to 4.4.3 (#1194) (@dependabot[bot])
• 78e2bba: workflow: use different branch (and also PR) for caps updates (@srenatus)
• 649d5b9: [create-pull-request] automated change (@srenatus)
• b58f999: lsp: Update rego-by-examples index (@charlieegan3)
• 672bb15: docs: write about evaluation code lens support in neovim (#1198) (@rinx)
• e46ef92: build(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (#1199) (@dependabot[bot])
• df4d44e: docs: Fix typos in config examples (#1201) (@anderseknert)
• 8504347: io: Address path input.json separator issue (#1203) (@charlieegan3)
• d04be3d: Make prefer-snake-case check package name (#1206) (@anderseknert)
• 5bc9d1d: Handle file:// URLs in exclusion policy (#1207) (@anderseknert)
• d39da24: Improve error messages for incorrect capabilities version (#1208) (@anderseknert)
• 173a992: config: Generate C:-style capabilities paths (#1209) (@charlieegan3)
• 63b90e1: Use filepath.WalkDir instead of filepath.Walk (#1210) (@anderseknert)
• 234e36b: lint/rpt: Handle no-color ttys (#1213) (@charlieegan3)
• 877372b: Rule: defer-assignment (#1215) (@anderseknert)
• 0355ad7: build(deps): bump github.com/fatih/color from 1.17.0 to 1.18.0 (#1216) (@dependabot[bot])
• 6b7e00b: lsp/eval: Load capabilities and config into eval (#1217) (@charlieegan3)
• 0ce82ae: Rule: walk-no-path (#1219) (@anderseknert)
• b45c14b: lsp/eval: Remove missed print statement (#1220) (@charlieegan3)
• b9a2531: build(deps): bump actions/cache from 4.1.1 to 4.1.2 (#1222) (@dependabot[bot])
• 7ff216b: build(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#1221) (@dependabot[bot])
• 9fcc5ee: build(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#1223) (@dependabot[bot])
• 2337dc8: build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#1224) (@dependabot[bot])
• 6e9264d: [create-pull-request] automated change (#1225) (@github-actions[bot])
• 96e4804: rule: Disable leaked_internal_reference for test files (#1228) (@charlieegan3)
• 3c48af2: build(deps): bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#1229) (@dependabot[bot])
• aeec96b: lsp: Fix inconsistent processing of ignores (#1227) (@charlieegan3)
• e07a5d7: lsp: format root directory files (#1232) (@charlieegan3)
• 3b9d897: Remove leaked-internal-reference comments (#1231) (@charlieegan3)
• b13c9c5: [create-pull-request] automated change (@srenatus)
• 1499393...

v0.28.0

New Rule: missing-metadata #1131

The new missing-metadata rule helps ensure policies are documented by requiring METADATA comments on public packages and rules. Metadata comments are used to explain functionality and annotate Rego constructs with other data.

Note: missing-metadata is a custom rule and so is not enabled by default for all users.

fixer: Automated fixing of directory-package-mismatch

This release brings improvements to regal fix, the command to automatically fix supported violations (#1120, #1127).

Fixes for the directory-package-mismatch violations involve moving files based on their packages. For example a file with package foo.bar in policies/policy.rego would need to be moved to foo/policy.rego. In previous versions of Regal, when multiple files in a large code base with the same filename needed to be moved to the same package directory, Regal would output a confusing error message.

Regal v0.28.0 outputs a clear error message by default and adds a new --on-conflict=rename modifying flag to allow conflicting files to automatically be renamed when this scenario is encountered.

Linter Improvements

• Support for linting Rego syntax passed to Regal via Standard Input (stdin).
• An important yet under-the-hood improvement to use a new data format for AST node locations. This makes violation locations more specific and brings a 5% linting speed improvement too.

Language Server Performance Improvements

• An update to the implementation of the server to reduce the number of expensive ‘full workspace’ linting jobs. By caching the aggregate rule data and updating it incrementally, full workspace jobs can now be completed in less than a third of the time previously taken.
• Making CodeLenses configurable makes supporting other clients easier. Thanks @rinx for the work in #1176 and for all the work you do to make Regal and Neovim play nice.
• Update to the server templating to better handle projects without a Regal config file. Files in the workspace root will no longer be templated either, but will still violate directory-package-mismatch.
• Makes an improvement to ensure the loading of the Regal rules happens once, saving around 30ms on every keypress-trigger, file diagnostic update event.

Dependency Updates

• anderseknert/roast v0.2.0 -> v0.4.2 #1140, #1170
• open-policy-agent/opa v0.68.0 -> v0.69.0 #1152

Github Actions Updates

• golangci/golangci-lint-action 6.1.0 -> 6.1.1 #1163
• peter-evans/create-pull-request 7.0.3 -> 7.0.5 #1114
• github/codeql-action 3.26.7 -> 3.26.11 #1117, #1137, #1157, #1174
• actions/checkout 4.1.7 -> 4.2.0 #1142
• codecov/codecov-action 4.5.0 -> 4.6.0 #1162, #1164
• actions/cache 4.0.2 -> 4.1.0 #1179

Changelog

• 63ec93d: docs: correct line endings for GIF files (#1114) (@charlieegan3)
• 980f726: build(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#1116) (@dependabot[bot])
• 54c8c9d: build(deps): bump github/codeql-action from 3.26.7 to 3.26.8 (#1117) (@dependabot[bot])
• 95a1bf3: tests: Minor test wait improvement (#1121) (@charlieegan3)
• 838c6fa: Allow regal lint - to lint from stdin (#1122) (@anderseknert)
• a23bb63: fixer: Address rename conflicts with explanation (#1120) (@charlieegan3)
• 23cb827: fixer: add --on-conflict flag to support renaming (#1127) (@charlieegan3)
• d41bea9: debug: registering custom built-ins (#1128) (@johanfylling)
• 4aa2fef: tests: Address incorrect built-in function check (#1129) (@charlieegan3)
• f6f2f6d: Rule: missing-metadata (#1131) (@anderseknert)
• ab3b3b8: tests: Remove global builtins state (#1134) (@charlieegan3)
• b424eb6: Use betteralign for struct alignment (#1132) (@anderseknert)
• 464a7bc: Completions: don't suggest loop vars as locals on same line (#1135) (@anderseknert)
• 6ecb36c: bundle: Load bundle once (#1136) (@charlieegan3)
• 7cd8744: build(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#1137) (@dependabot[bot])
• a201715: linter: support single file aggregate data collection and parameterised aggregate data in Lint() (#1139) (@charlieegan3)
• 2730887: Bump roast to v0.3.0 and live free from annotations on module (#1140) (@anderseknert)
• 64cba9e: build(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#1142) (@dependabot[bot])
• efd4420: Fix detached-metadata issues (#1143) (@anderseknert)
• 75db465: Link to source code in rule docs (#1144) (@anderseknert)
• e205cd9: Go code cleanup (#1148) (@anderseknert)
• 3cba1c6: fix: fix var name for commit hash (#1150) (@rinx)
• 4a97b56: Adapt to new location format (#1153) (@anderseknert)
• 036a6b6: Bump OPA to v0.69.0 (#1152) (@anderseknert)
• 06db4bb: internal/lsp/hover: "fix" codeql finding (#1156) (@srenatus)
• bfc0f9e: internal/capabilities: update eopa caps (@srenatus)
• 1161ede: CONTRIBUTING: update script name (@srenatus)
• 81edb95: workflow: add update-caps (#1158) (@srenatus)
• f7acfda: build(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#1157) (@dependabot[bot])
• a55d2f4: Fix some minor issues reported by IntelliJ (#1159) (@anderseknert)
• 2f94fc7: Fix nits (#1161) (@srenatus)
• f208f46: build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 (#1166) (@dependabot[bot])
• 94fea76: build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 (#1162) (@dependabot[bot])
• 7b5cd08: Exclude print from "function return value in args" check (#1165) (@anderseknert)
• 8ca0197: Custom rule authoring improvements (#1168) (@anderseknert)
• 85b7be7: Bump roast to v0.4.2 to solve data race (#1170) (@anderseknert)
• 67162e6: lsp: Update LSP linting to run incrementally after file change (#1146) (@charlieegan3)
• f70b892: build(deps): bump github/codeql-action from 3.26.10 to 3.26.11 (#1174) (@dependabot[bot])
• fc88817: Correct example index rego path (#1177) (@charlieegan3)
• b751858: lsp/templating: gracefully handle unknown root (#1171) (@charlieegan3)
• 69fb6ca: Use test logger for client handler (#1178) (@charlieegan3)
• ed287dc: build(deps): bump actions/cache from 4.0.2 to 4.1.0 (#1179) (@dependabot[bot])
• 9503967: feat(lsp): add initialization options about codelenses (#1176) (@rinx)