From 64906e697370a5ba6acb1edcb7dc40bf633ca11a Mon Sep 17 00:00:00 2001
From: Paul Meyer <katexochen0@gmail.com>
Date: Fri, 6 Jun 2025 15:43:10 +0200
Subject: [PATCH] tests/static-checks: parse rego with opa and regorus

Ensure rego policies in tree can be parsed using opa and regorus.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---
 tests/static-checks.sh | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/tests/static-checks.sh b/tests/static-checks.sh
index 48cfa69ff9..88e1d61e95 100755
--- a/tests/static-checks.sh
+++ b/tests/static-checks.sh
@@ -1362,6 +1362,38 @@ static_check_dockerfiles()
 	popd
 }
 
+static_check_rego()
+{
+	local rego_files
+	rego_files=$(git ls-files | grep -E '.*\.rego$')
+
+	interpreters=("opa" "regorus")
+	for interpreter in "${interpreters[@]}"
+	do
+		if ! command -v "${interpreter}" &>/dev/null; then
+			die "Required rego interpreter '${interpreter}' not found in PATH"
+		fi
+	done
+
+	found_unparsable=0
+	for file in ${rego_files}
+	do
+		for interpreter in "${interpreters[@]}"
+			do
+			if ! ${interpreter} parse "${file}" > /dev/null; then
+				info "Failed to parse Rego file '${file}' with ${interpreter}"
+				found_unparsable=1
+			else
+				info "Successfully parsed Rego file '${file}' with ${interpreter}"
+			fi
+		done
+	done
+
+	if [[ ${found_unparsable} -ne 0 ]]; then
+		die "Unparsable rego files found"
+	fi
+}
+
 # Run the specified function (after first checking it is compatible with the
 # users architectural preferences), or simply list the function name if list
 # mode is active.
@@ -1505,6 +1537,7 @@ main()
 			--list) list_only="true" ;;
 			--no-arch) handle_funcs="arch-agnostic" ;;
 			--only-arch) handle_funcs="arch-specific" ;;
+			--rego) func=static_check_rego ;;
 			--repo) repo="$2"; shift ;;
 			--scripts) func=static_check_shell ;;
 			--vendor) func=static_check_vendor;;