Add file_disallow policy to detect sensitive files in repositories

[Copilot]

Overview

Implements a new file_disallow security policy that identifies sensitive files (like .env, configuration files with credentials) that should not be present in GitHub repositories. This helps prevent accidental commits of API tokens, passwords, and other sensitive information.

Problem

Files containing plain text credentials (.env, config.xml, credentials.json, etc.) are sometimes pushed to repositories by mistake, leaking API tokens, passwords, and other sensitive data. While these files should be added to .gitignore, developers can accidentally commit them before proper gitignore rules are in place.

Solution

This PR introduces a file_disallow policy that:

1. Detects sensitive files: Checks if any files in the disallow list exist in the repository
2. Validates .gitignore: Verifies that disallowed files are properly listed in .gitignore
3. Pattern matching: Supports exact matches, wildcards (.env*), and directory patterns
4. Actionable reporting: Provides clear feedback on which files were found and which are missing from .gitignore

Usage

Add the file_disallow configuration to your policies/repository.yml:

file_disallow:
  - .env
  - .env.local
  - .env.production
  - .env.development
  - config.xml
  - credentials.json
  - secrets.yml

Example Output

When sensitive files are detected, the check fails with detailed information:

{
  "name": "Files Disallow Check",
  "pass": false,
  "data": {
    "foundDisallowedFiles": [".env", "credentials.json"],
    "gitignoreExists": true,
    "missingInGitignore": ["credentials.json"]
  }
}

This tells you:

• .env and credentials.json exist in the repository
• A .gitignore file exists
• credentials.json is NOT in .gitignore (action required!)

Implementation Details

• New evaluator: FilesDisallowChecks class in src/evaluators/multipurpose/
• Integration: Seamlessly integrated into RepoPolicyEvaluator
• Type safety: Added file_disallow field to RepoPolicy interface
• Documentation: Complete documentation in repository.readme.md and threat model in repository.threats.md

Security Benefits

• Prevents credential leaks and data exposure
• Addresses SLSA.dev threat: "(E) Compromise source repo"
• Maps to MS DevOps threat matrix: "5. Credential Access - Exposed secrets in repository"
• Customizable per organization's security requirements

Testing

• ✅ TypeScript compilation successful
• ✅ Code formatting validated (Prettier)
• ✅ Build artifacts generated correctly
• ✅ Integration verified in policy evaluator

Closes #[issue_number]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Policy to identify sensitive files that should not be in the repository</issue_title>
<issue_description>Files like .env contain most of the times plain text credentials. While these files should be added to the .gitignore list, sometimes they can be pushed to the repo by mistake , leaking API tokens, passwords or other sensitive info.

Policy proposed: disallow specific files

file-disallow:
     - .env
     - conf.xml

This policy could also check that these files are inside the .gitignore. We can use https://github.com/github/gitignore as reference and example. </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #19

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.