The hasCodePattern built-in allows us to query the code contained in the diff.
This ability let us a query for changes and understand, for instance, if sensitive (e.g. access token) data was explicitly added to the code.
- name: changes-env-var
description: Patch includes changes to environment variables
- name: includes_gh_token
description: Patch includes a GitHub token
- name: critical
- rule: changes-env-var
- name: security
- rule: includes_gh_token
- $error("Patch includes a GitHub token")
- $fail("GitHub token in patch")