Document / Support on using custom rego ruleset

[saisatishkarra]

Is your feature request related to a problem? Please describe.
Enhancement / Clarification on how to write custom rego rules and pass it during runtime for the poutine when scanning a remote/local repo or org ?

Describe the solution you'd like

• Any example of how this request is supported ?
• Documentation around how to write these rego rules for poutine?
• Where does the config live and how to pass it during runtime?

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[fproulx-boostsecurity]

Good idea @saisatishkarra

So basically you create a .poutine.yml (in the curent working directory where you run poutine) or you have a YAML file that you point to using --config my-config.yaml.

You can see an example here https://github.com/boost-rnd/poutine-rules/blob/main/.poutine.yml

If you want to write custom rules, you specify

include:
- path: ./github_actions

And the path(s) it points to must contain *.rego files following our standard rule nomenclature i.e. package rules.something (https://github.com/boost-rnd/poutine-rules/blob/main/github_actions/all_injections.rego)

Example

package rules.injection

import rego.v1

# raise for any injection in bash/javascript
patterns.github contains `\$\{\{[^\}]+\}\}`