From e878a3cc339e1975f0b1ebf88f074ed04ee68ae7 Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Sun, 31 Jan 2021 12:48:32 +0100
Subject: [PATCH] feat: add rule CheckGitHasVersion

---
 ansiblelater/rules/CheckGitHasVersion.py | 42 ++++++++++++++++++++++++
 docs/content/included_rules/_index.md    |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 ansiblelater/rules/CheckGitHasVersion.py

diff --git a/ansiblelater/rules/CheckGitHasVersion.py b/ansiblelater/rules/CheckGitHasVersion.py
new file mode 100644
index 0000000..83cf10c
--- /dev/null
+++ b/ansiblelater/rules/CheckGitHasVersion.py
@@ -0,0 +1,42 @@
+# Copyright (c) 2013-2014 Will Thames <will@thames.id.au>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+from ansiblelater.standard import StandardBase
+
+
+class CheckGitHasVersion(StandardBase):
+
+    sid = "ANSIBLE0020"
+    description = "Git checkouts should use explicit version"
+    helptext = "git checkouts should point to an explicit commit or tag, not `latest`"
+    version = "0.2"
+    types = ["playbook", "task", "handler"]
+
+    def check(self, candidate, settings):
+        tasks, errors = self.get_normalized_tasks(candidate, settings)
+
+        if not errors:
+            for task in tasks:
+                if (
+                    task['action']['__ansible_module__'] == 'git'
+                    and task['action'].get('version', 'HEAD') == 'HEAD'
+                ):
+                    errors.append(self.Error(task["__line__"], self.helptext))
+
+        return self.Result(candidate.path, errors)
diff --git a/docs/content/included_rules/_index.md b/docs/content/included_rules/_index.md
index feda483..4bb4430 100644
--- a/docs/content/included_rules/_index.md
+++ b/docs/content/included_rules/_index.md
@@ -34,3 +34,4 @@ Reviews are nothing without some rules or standards against which to review. ans
 | CheckCommandInsteadOfArgument | ANSIBLE0017 | Commands should not be used in place of module arguments.         |                                                                      |
 | CheckFilePermissionMissing    | ANSIBLE0018 | File permissions unset or incorrect.                              |                                                                      |
 | CheckFilePermissionOctal      | ANSIBLE0019 | Octal file permissions must contain leading zero or be a string.  |                                                                      |
+| CheckGitHasVersion            | ANSIBLE0020 | Git checkouts should use explicit version                         |                                                                      |