fix: copilot issues

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

Author: gusfcarvalho

README.md

@@ -22,6 +22,6 @@ Policies are written in [Rego](https://www.openpolicyagent.org/docs/latest/polic
 
 Use the standardized per-resource payload generated by the Cloud Custodian plugin as policy input. The plugin evaluates one resource/check pair at a time with `schema_version: v2`; matched resources are marked `assessment.status: non_compliant`, and baseline resources that did not match the Cloud Custodian check are marked `assessment.status: compliant`.
 
-Cloud Custodian policies may include a plugin-only `non_compliance_message` string. When a resource is marked `non_compliant`, that message is appended to the evidence description. The plugin removes this field before executing the policy with Cloud Custodian.
+Cloud Custodian policies may include a plugin-only `non_compliance_message` string. When a resource is marked `non_compliant`, that message is appended to the evidence description. The plugin removes this field before executing the Cloud Custodian policy.
 
 Risk templates should dedupe by individual cloud resource using the payload labels `resource_type` and `resource_id`.

policies/cloud_custodian_resources_detected.rego

@@ -5,6 +5,7 @@ import rego.v1
 violation_id := "cloud_custodian_resource_non_compliant"
 execution_violation_id := "cloud_custodian_resource_evaluation_failed"
 unsupported_input_violation_id := "cloud_custodian_unsupported_input"
+stderr_max_chars := 500
 
 _label_schema := [
 	{
@@ -128,6 +129,22 @@ _default_string(value, fallback) := fallback if {
 	not is_string(value)
 }
 
+_safe_stderr(value) := result if {
+	first_line := split(value, "\n")[0]
+	without_control_chars := regex.replace(first_line, "[[:cntrl:]]+", " ")
+	without_authorization := regex.replace(without_control_chars, "(?i)authorization[[:space:]]*:[[:space:]]*[^[:space:]]+([[:space:]]+[^[:space:]]+)?", "Authorization: <redacted>")
+	without_secret_values := regex.replace(without_authorization, "(?i)(password|token|secret|access[_-]?key)([[:space:]]*[:=][[:space:]]*)[^[:space:]]+", "$1$2<redacted>")
+	result := _truncate_error_detail(without_secret_values)
+}
+
+_truncate_error_detail(value) := value if {
+	count(value) <= stderr_max_chars
+}
+
+_truncate_error_detail(value) := sprintf("%s...", [substring(value, 0, stderr_max_chars)]) if {
+	count(value) > stderr_max_chars
+}
+
 check_name := _default_string(object.get(_check, "name", ""), "unknown-check")
 
 resource_type := _default_string(object.get(_resource, "type", object.get(_check, "resource", "")), "unknown-resource-type")
@@ -183,7 +200,7 @@ execution_exit_code := object.get(_execution, "exit_code", "unknown-exit-code")
 
 execution_error := _default_string(object.get(_execution, "error", ""), "")
 
-execution_stderr := _default_string(object.get(_execution, "stderr", ""), "")
+execution_stderr := _safe_stderr(_default_string(object.get(_execution, "stderr", ""), ""))
 
 execution_errors := object.get(_execution, "errors", [])
 

policies/cloud_custodian_resources_detected_test.rego

@@ -180,7 +180,7 @@ test_execution_failure_remark_uses_stderr_when_error_details_are_empty if {
 			"exit_code": 3,
 			"error": "",
 			"errors": [],
-			"stderr": "access denied reading EC2 instances",
+			"stderr": "access denied reading EC2 instances\nsecond log line should not be included",
 		}},
 	])
 
@@ -192,6 +192,46 @@ test_execution_failure_remark_uses_stderr_when_error_details_are_empty if {
 	}]
 }
 
+test_execution_failure_remark_redacts_sensitive_stderr_values if {
+	fixture := object.union_n([
+		_payload("compliant"),
+		{"execution": {
+			"status": "error",
+			"dry_run": true,
+			"exit_code": 3,
+			"error": "",
+			"errors": [],
+			"stderr": "Authorization: Bearer secret-token token=abc123 password=hunter2 access_key=AKIAEXAMPLE",
+		}},
+	])
+
+	violations := cloud_custodian_resources_detected.violation with input as fixture
+	count(violations) == 1
+	violations[{
+		"id": "cloud_custodian_resource_evaluation_failed",
+		"remarks": "Cloud Custodian policy \"ec2-public-ip-check\" ran with errors while evaluating resource \"aws.ec2/i-123\" (execution_status=\"error\", exit_code=3). Errors: Authorization: <redacted> token=<redacted> password=<redacted> access_key=<redacted>.",
+	}]
+}
+
+test_execution_failure_remark_truncates_long_stderr if {
+	long_stderr := sprintf("%sDO_NOT_INCLUDE", [concat("", ["x" | some i in numbers.range(1, 520)])])
+	fixture := object.union_n([
+		_payload("compliant"),
+		{"execution": {
+			"status": "error",
+			"dry_run": true,
+			"exit_code": 3,
+			"error": "",
+			"errors": [],
+			"stderr": long_stderr,
+		}},
+	])
+
+	remarks := cloud_custodian_resources_detected.remarks with input as fixture
+	contains(remarks, sprintf("Errors: %s...", [concat("", ["x" | some i in numbers.range(1, 500)])]))
+	not contains(remarks, "DO_NOT_INCLUDE")
+}
+
 test_execution_failure_remark_handles_missing_error_details if {
 	fixture := object.union_n([
 		_payload("compliant"),