chore(conftest): merge upstream v0.60.0

.github/dependabot.yml

@@ -30,3 +30,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/release.yaml

@@ -4,6 +4,9 @@ on:
   push:
     tags:
       - 'v*'
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
   release:
@@ -42,14 +45,14 @@ jobs:
       #   run: make push TAG=$VERSION
 
       - name: setup go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.23.x"
+          go-version: "1.24.x"
 
       - name: release
         uses: goreleaser/goreleaser-action@v6
         with:
           args: release --clean
           version: "~> v1"
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows_bak/pr.yaml

@@ -2,17 +2,12 @@ name: pr
 
 on: [pull_request]
 
-permissions:
-  actions: read
-  checks: none
-  contents: none
-  deployments: none
-  issues: none
-  packages: none
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
+
+permissions: {}
+
+env:
+  IMAGE: openpolicyagent/conftest
+  PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
   style:
@@ -59,11 +54,11 @@ jobs:
       - name: setup go
         uses: actions/setup-go@v5
         with:
-          go-version: "1.23.x"
+          go-version: "1.24.x"
           cache: false
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v8
         with:
           args: --timeout=5m --color=always --max-same-issues=0 --max-issues-per-linter=0
 
@@ -73,8 +68,16 @@ jobs:
       - name: unit test
         run: make test
 
+      # Ensure Actions runner has Python installed
+      # This is required for pre-commit tests to work
+      - name: setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+
       - name: setup bats
-        uses: bats-core/bats-action@1.5.4
+        uses: bats-core/bats-action@3.0.1
         with:
           # Pin bats version to fix CI issue: https://github.com/bats-core/bats-action/pull/4
           bats-version: "1.10.0"
@@ -91,3 +94,23 @@ jobs:
 
       - name: test oci push/pull
         run: ./scripts/push-pull-e2e.sh
+
+  docker:
+    runs-on: ubuntu-latest
+    needs:
+      - validate
+    steps:
+      - name: checkout source
+        uses: actions/checkout@v4
+
+      - name: setup docker buildx
+        run: docker buildx create --name conftestbuild --use
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6 
+        with:
+          context: .
+          push: false
+          tags: |
+            ${{ env.IMAGE }}:latest
+          platforms: ${{ env.PLATFORMS }}

.golangci.yaml

@@ -1,23 +1,10 @@
-linters-settings:
-  misspell:
-    locale: US
-  govet:
-    enable:
-      - nilness
-  staticcheck:
-    checks:
-      - "all" # Include all checks except the ones below.
-      - "-SA1019" # Do not block the build if deprecated functions or packages are used.
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
     - errcheck
     - goconst
-    - gofmt
-    - goimports
     - gosec
-    - gosimple
     - govet
     - ineffassign
     - makezero
@@ -26,8 +13,40 @@ linters:
     - predeclared
     - revive
     - staticcheck
-    - typecheck
     - unconvert
     - unparam
     - unused
     - wastedassign
+  settings:
+    govet:
+      enable:
+        - nilness
+    misspell:
+      locale: US
+    staticcheck:
+      checks:
+        # These are processed in order. It is important that the inclusion
+        # comes before the exclusion.
+        - all
+        - -SA1019
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.pre-commit-hooks.yaml

@@ -0,0 +1,19 @@
+- id: conftest-test
+  name: Conftest Test Policy Check
+  description: Validate configuration files against Open Policy Agent policies using Conftest
+  entry: conftest test
+  language: golang
+  pass_filenames: true
+  require_serial: true
+  minimum_pre_commit_version: "2.9.0"
+  stages: [pre-commit, pre-merge-commit, pre-push, manual]
+
+- id: conftest-verify
+  name: Conftest Verify Policy Tests
+  description: Run Rego unit tests for Conftest policies
+  entry: conftest verify
+  language: golang
+  pass_filenames: false
+  require_serial: true
+  minimum_pre_commit_version: "2.9.0"
+  stages: [pre-commit, pre-merge-commit, pre-push, manual]

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.6-alpine as base
+FROM golang:1.24.2-alpine as base
 ARG TARGETARCH
 ARG VERSION
 ARG COMMIT
@@ -52,7 +52,7 @@ RUN go install cuelang.org/go/cmd/cue@latest
 WORKDIR /examples
 
 ## RELEASE ##
-FROM alpine:3.21.2
+FROM alpine:3.21.3
 
 # Install git for protocols that depend on it when using conftest pull
 RUN apk add --no-cache git

Makefile

@@ -39,11 +39,15 @@ test-examples: build ## Runs the tests for the examples.
 	@bats acceptance.bats
 
 .PHONY: test-acceptance
-test-acceptance: build ## Runs the tests in the test folder.
+test-acceptance: build install-test-deps ## Runs the tests in the test folder.
 	@for testdir in $(TEST_DIRS) ; do \
 		cd $(CURDIR)/$$testdir && CONFTEST=$(ROOT_DIR)/$(BIN) bats test.bats || exit 1; \
 	done
 
+.PHONY: install-test-deps
+install-test-deps: ## Installs dependencies required for testing.
+	@command -v pre-commit >/dev/null 2>&1 || python -m pip install -r requirements-dev.txt
+
 .PHONY: test-oci
 test-oci: ## Runs the OCI integration test for push and pull.
 	@./scripts/push-pull-e2e.sh
@@ -75,4 +79,4 @@ help:
 # 	@test -n "$(TAG)" || (echo "TAG parameter not set." && exit 1)
 # 	@$(DOCKER) buildx build . --push --build-arg VERSION="$(TAG)" -t $(IMAGE):$(TAG) --platform $(DOCKER_PLATFORMS)
 # 	@$(DOCKER) buildx build . --push --build-arg VERSION="$(TAG)" -t $(IMAGE):latest --platform $(DOCKER_PLATFORMS)
-# 	@$(DOCKER) buildx build . --push --target examples -t $(IMAGE):examples --platform $(DOCKER_PLATFORMS)
+# 	@$(DOCKER) buildx build . --push --target examples -t $(IMAGE):examples --platform $(DOCKER_PLATFORMS)

README.md

@@ -15,14 +15,14 @@ Here's a quick example. Save the following as `policy/deployment.rego`:
 ```rego
 package main
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.template.spec.securityContext.runAsNonRoot
 
   msg := "Containers must not run as root"
 }
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.selector.matchLabels.app
 

acceptance.bats

@@ -521,3 +521,12 @@ EOF"
   [ "$status" -eq 1 ]
   [[ "$output" =~ "look up message type" ]]
 }
+
+@test "Can parse files from a symlinked directory" {
+  TMPDIR="$(mktemp -d -u)"
+  ln -s $(pwd)/examples/hcl2 ${TMPDIR}
+  run ./conftest test -p examples/hcl2/policy ${TMPDIR}
+  rm -rf ${TMPDIR}
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "10 tests, 3 passed, 0 warnings, 7 failures, 0 exceptions" ]]
+}

docs/debug.md

@@ -108,3 +108,17 @@ TRAC | Exit data.main.deny = _
 TRAC Redo data.main.deny = _
 TRAC | Redo data.main.deny = _
 ```
+
+## Using trace with other output formats
+
+You can use the `--trace` flag together with any output format. When using `--trace` with formats like `--output=table` or `--output=json`, the trace information will be written to stderr while the formatted output will be written to stdout. This allows you to capture trace information for debugging while still using your preferred output format.
+
+For example:
+
+```console
+# Output trace to stderr and table format to stdout
+$ conftest test --trace --output=table deployment.yaml
+
+# Capture trace output to a file while viewing table output
+$ conftest test --trace --output=table deployment.yaml 2>trace.log
+```

docs/documentation.md

@@ -32,7 +32,7 @@ conftest doc path/to/policy
 
 ## Use your own template
 
-You can override the [default template](../document/resources/document.md) with your own template
+You can override the [default template](https://raw.githubusercontent.com/open-policy-agent/conftest/refs/heads/master/document/resources/document.md) with your own template
 
 ```aiignore
 conftest -t template.md path/tp/policies

docs/exceptions.md

@@ -5,10 +5,10 @@ There might be cases where rules might not apply under certain circumstances. Fo
 Inputs matched by the `exception` will be exempted from the rules specified in `rules`, prefixed by `deny_` or `violation_`:
 
 ```rego
-exception[rules] {
+exception contains rules if {
   # Logic
 
-  rules = ["foo","bar"]
+  rules := ["foo","bar"]
 }
 ```
 
@@ -29,14 +29,14 @@ In the below example, a Kubernetes deployment named `can-run-as-root` will be al
 ```rego
 package main
 
-deny_run_as_root[msg] {
+deny_run_as_root contains msg if {
   input.kind == "Deployment"
   not input.spec.template.spec.securityContext.runAsNonRoot
 
   msg := "Containers must not run as root"
 }
 
-exception[rules] {
+exception contains rules if {
   input.kind == "Deployment"
   input.metadata.name == "can-run-as-root"
 

docs/index.md

@@ -15,14 +15,14 @@ For instance, save the following as `policy/deployment.rego`:
 ```rego
 package main
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.template.spec.securityContext.runAsNonRoot
 
   msg := "Containers must not run as root"
 }
 
-deny[msg] {
+deny contains msg if {
   input.kind == "Deployment"
   not input.spec.selector.matchLabels.app
 
@@ -84,6 +84,28 @@ As of today Conftest supports:
 * XML
 * YAML
 
+### Pre-commit Integration
+
+Conftest can be used as a [pre-commit](https://pre-commit.com/) hook to validate your configuration files before committing them.
+
+To use Conftest with pre-commit, add the following to your `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/open-policy-agent/conftest
+    rev: v0.59.0  # Use a specific tag or 'HEAD' for the latest commit
+    hooks:
+      - id: conftest-test
+        args: [--policy, path/to/your/policies]  # Specify your policy directory
+      # Optional: Add the verify hook to run policy unit tests
+      - id: conftest-verify
+        args: [--policy, path/to/your/policies]
+```
+
+The `conftest-test` hook validates your configuration files against policies, while the `conftest-verify` hook runs unit tests for your policies.
+
+For more information on pre-commit hooks, refer to the [pre-commit documentation](https://pre-commit.com/).
+
 ### Testing/Verifying Policies
 
 When authoring policies, it is helpful to test them. Consult the Rego [testing documentation](https://www.openpolicyagent.org/docs/latest/policy-testing)
@@ -105,7 +127,7 @@ When writing unit tests, it is common to use the `with` keyword to override the
 `input` and `data` documents. For example:
 
 ```rego
-test_foo {
+test_foo if {
   input := {
     "abc": 123,
     "foo": ["bar", "baz"],
@@ -135,7 +157,7 @@ in a unit test.
 **deny.rego**
 
 ```rego
-deny[msg] {
+deny contains msg if {
   proto := input.resource.aws_alb_listener[lb].protocol
   proto == "HTTP"
   msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [lb])