From 639c8d8b9d5fb69e308a7ad241d0b3f03a0a6b77 Mon Sep 17 00:00:00 2001
From: Simar <simar@linux.com>
Date: Fri, 4 Aug 2023 00:16:32 -0600
Subject: [PATCH] feat(rego): Skip dotfiles

Fixes: https://github.com/aquasecurity/trivy/issues/4924

Signed-off-by: Simar <simar@linux.com>
---
 pkg/rego/embed.go                         | 3 +--
 pkg/rego/load.go                          | 6 +++++-
 pkg/rego/load_test.go                     | 5 +++--
 pkg/rego/testdata/policies/._sysfile.rego | 0
 4 files changed, 9 insertions(+), 5 deletions(-)
 create mode 100644 pkg/rego/testdata/policies/._sysfile.rego

diff --git a/pkg/rego/embed.go b/pkg/rego/embed.go
index aa986fd74..b540d9479 100644
--- a/pkg/rego/embed.go
+++ b/pkg/rego/embed.go
@@ -9,7 +9,6 @@ import (
 	"github.com/aquasecurity/defsec/internal/rules"
 	rules2 "github.com/aquasecurity/defsec/rules"
 	"github.com/open-policy-agent/opa/ast"
-	"github.com/open-policy-agent/opa/bundle"
 )
 
 func init() {
@@ -88,7 +87,7 @@ func RecurseEmbeddedModules(fs embed.FS, dir string) (map[string]*ast.Module, er
 			}
 			continue
 		}
-		if !strings.HasSuffix(entry.Name(), bundle.RegoExt) || strings.HasSuffix(entry.Name(), "_test"+bundle.RegoExt) {
+		if !isRegoFile(entry.Name()) || isDotFile(entry.Name()) {
 			continue
 		}
 		fullPath := strings.Join([]string{dir, entry.Name()}, "/")
diff --git a/pkg/rego/load.go b/pkg/rego/load.go
index c9c3afc73..4c97793c8 100644
--- a/pkg/rego/load.go
+++ b/pkg/rego/load.go
@@ -16,6 +16,10 @@ func isRegoFile(name string) bool {
 	return strings.HasSuffix(name, bundle.RegoExt) && !strings.HasSuffix(name, "_test"+bundle.RegoExt)
 }
 
+func isDotFile(name string) bool {
+	return strings.HasPrefix(name, ".")
+}
+
 func isJSONFile(name string) bool {
 	return strings.HasSuffix(name, ".json")
 }
@@ -37,7 +41,7 @@ func (s *Scanner) loadPoliciesFromDirs(target fs.FS, paths []string) (map[string
 			if info.IsDir() {
 				return nil
 			}
-			if !isRegoFile(info.Name()) {
+			if !isRegoFile(info.Name()) || isDotFile(info.Name()) {
 				return nil
 			}
 			data, err := fs.ReadFile(target, filepath.ToSlash(path))
diff --git a/pkg/rego/load_test.go b/pkg/rego/load_test.go
index af671cb93..02197b238 100644
--- a/pkg/rego/load_test.go
+++ b/pkg/rego/load_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-//go:embed testdata/policies
+//go:embed all:testdata/policies
 var testEmbedFS embed.FS
 
 func Test_RegoScanning_WithSomeInvalidPolicies(t *testing.T) {
@@ -21,8 +21,9 @@ func Test_RegoScanning_WithSomeInvalidPolicies(t *testing.T) {
 		scanner.SetRegoErrorLimit(0)
 		scanner.SetDebugWriter(&debugBuf)
 		p, _ := RecurseEmbeddedModules(testEmbedFS, ".")
-		scanner.policies = p
+		require.NotNil(t, p)
 
+		scanner.policies = p
 		err := scanner.compilePolicies(testEmbedFS, []string{"policies"})
 		require.ErrorContains(t, err, `want (one of): ["Cmd" "EndLine" "Flags" "JSON" "Original" "Path" "Stage" "StartLine" "SubCmd" "Value"]`)
 		assert.Contains(t, debugBuf.String(), "Error(s) occurred while loading policies")
diff --git a/pkg/rego/testdata/policies/._sysfile.rego b/pkg/rego/testdata/policies/._sysfile.rego
new file mode 100644
index 000000000..e69de29bb