Skip to content

Commit fda5b31

Browse files
committed
fix: policy behavior when no data capture
Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
1 parent eef13a1 commit fda5b31

4 files changed

Lines changed: 30 additions & 4 deletions

File tree

policies/gh_org_ip_allowlist_enabled.rego

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,14 +37,19 @@ risk_templates := [
3737
}
3838
]
3939

40-
_ip_allow_list := object.get(input, "ip_allow_list", [])
40+
_ip_allow_list := object.get(input, "ip_allow_list", null)
41+
42+
skip_reason := "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" if {
43+
_ip_allow_list == null
44+
}
4145

4246
_has_active_entry if {
4347
some entry in _ip_allow_list
4448
entry.is_active == true
4549
}
4650

4751
violation[{"id": "ip_allowlist_not_configured"}] if {
52+
_ip_allow_list != null
4853
not _has_active_entry
4954
}
5055

policies/gh_org_ip_allowlist_enabled_test.rego

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,16 @@ test_ip_allowlist_empty if {
2424
}
2525
}
2626

27-
test_ip_allowlist_missing if {
28-
count(violation) > 0 with input as {}
27+
test_ip_allowlist_null_skips if {
28+
count(violation) == 0 with input as {
29+
"ip_allow_list": null
30+
}
31+
skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {
32+
"ip_allow_list": null
33+
}
34+
}
35+
36+
test_ip_allowlist_missing_skips if {
37+
count(violation) == 0 with input as {}
38+
skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {}
2939
}

policies/gh_org_sso_enabled.rego

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,11 @@ risk_templates := [
4343
}
4444
]
4545

46-
_sso := object.get(input, "sso", {})
46+
_sso := object.get(input, "sso", null)
47+
48+
skip_reason := "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" if {
49+
_sso == null
50+
}
4751

4852
_sso_enabled := object.get(_sso, "enabled", false)
4953

policies/gh_org_sso_enabled_test.rego

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,3 +36,10 @@ test_sso_enabled_but_not_enforced if {
3636
test_sso_missing if {
3737
count(violation) == 1 with input as {}
3838
}
39+
40+
test_sso_null_with_skip_reason if {
41+
skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status"
42+
with input as {
43+
"sso": null
44+
}
45+
}

0 commit comments

Comments
 (0)