Skip to content

Commit a038386

Browse files
authored
fix: policy behavior when no data capture (#10)
* fix: policy behavior when no data capture Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com> * fix: copilot issues Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com> --------- Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
1 parent eef13a1 commit a038386

4 files changed

Lines changed: 38 additions & 5 deletions

File tree

policies/gh_org_ip_allowlist_enabled.rego

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,14 +37,19 @@ risk_templates := [
3737
}
3838
]
3939

40-
_ip_allow_list := object.get(input, "ip_allow_list", [])
40+
_ip_allow_list := object.get(input, "ip_allow_list", null)
41+
42+
skip_reason := "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" if {
43+
_ip_allow_list == null
44+
}
4145

4246
_has_active_entry if {
4347
some entry in _ip_allow_list
4448
entry.is_active == true
4549
}
4650

4751
violation[{"id": "ip_allowlist_not_configured"}] if {
52+
_ip_allow_list != null
4853
not _has_active_entry
4954
}
5055

policies/gh_org_ip_allowlist_enabled_test.rego

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@ test_ip_allowlist_empty if {
2424
}
2525
}
2626

27-
test_ip_allowlist_missing if {
28-
count(violation) > 0 with input as {}
27+
test_ip_allowlist_null_skips if {
28+
count(violation) == 0 with input as {
29+
"ip_allow_list": null
30+
}
31+
skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {
32+
"ip_allow_list": null
33+
}
34+
}
35+
36+
test_ip_allowlist_missing_skips if {
37+
count(violation) == 0 with input as {}
38+
skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {}
2939
}

policies/gh_org_sso_enabled.rego

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,16 +45,25 @@ risk_templates := [
4545

4646
_sso := object.get(input, "sso", {})
4747

48-
_sso_enabled := object.get(_sso, "enabled", false)
48+
skip_reason := "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" if {
49+
input.sso == null
50+
}
51+
52+
_sso_enabled := object.get(_sso, "enabled", false) if {
53+
_sso != null
54+
}
4955

50-
_sso_enforced := object.get(_sso, "enforced", false)
56+
_sso_enforced := object.get(_sso, "enforced", false) if {
57+
_sso != null
58+
}
5159

5260
_sso_enabled_and_enforced if {
5361
_sso_enabled
5462
_sso_enforced
5563
}
5664

5765
violation[{"id": "sso_not_enabled"}] if {
66+
not skip_reason
5867
not _sso_enabled_and_enforced
5968
}
6069

policies/gh_org_sso_enabled_test.rego

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,3 +36,12 @@ test_sso_enabled_but_not_enforced if {
3636
test_sso_missing if {
3737
count(violation) == 1 with input as {}
3838
}
39+
40+
test_sso_null_with_skip_reason if {
41+
skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" with input as {
42+
"sso": null
43+
}
44+
count(violation) == 0 with input as {
45+
"sso": null
46+
}
47+
}

0 commit comments

Comments
 (0)