address comments

Author: piceri

README.md

@@ -87,11 +87,7 @@ The `DN_TEMPLATE` supports the following placeholders:
 
 You can track runtime risks through annotations. Add the annotation `github.com/runtime-risks`, with a comma-separated list of supported runtime risk values. Annotations are aggregated from the pod and its owner reference objects. 
 
-Currently supported runtime risks:
-- `critical-resource`
-- `lateral-movement`
-- `internet-exposed`
-- `sensitive-data`
+Currently supported runtime risks can be found in the [Create Deployment Record API docs](https://docs.github.com/en/rest/orgs/artifact-metadata?apiVersion=2022-11-28#create-an-artifact-deployment-record). Invalid runtime risk values will be ignored.
 
 
 ## Kubernetes Deployment
@@ -101,7 +97,7 @@ which includes:
 
 - **Namespace**: `deployment-tracker`
 - **ServiceAccount**: Identity for the controller pod
-- **ClusterRole**: Minimal permissions (`get`, `list`, `watch` on pods)
+- **ClusterRole**: Minimal permissions (`get`, `list`, `watch` on pods; `get` on other supported objects)
 - **ClusterRoleBinding**: Binds the ServiceAccount to the ClusterRole
 - **Deployment**: Runs the controller with security hardening
 

pkg/deploymentrecord/record.go

@@ -1,6 +1,9 @@
 package deploymentrecord
 
-import "strings"
+import (
+	"log/slog"
+	"strings"
+)
 
 // Status constants for deployment records.
 const (
@@ -19,6 +22,14 @@ const (
 	SensitiveData    RuntimeRisk = "sensitive-data"
 )
 
+// Map of valid runtime risks.
+var validRuntimeRisks = map[RuntimeRisk]bool{
+	CriticalResource: true,
+	InternetExposed:  true,
+	LateralMovement:  true,
+	SensitiveData:    true,
+}
+
 // DeploymentRecord represents a deployment event record.
 type DeploymentRecord struct {
 	Name                string        `json:"name"`
@@ -59,11 +70,10 @@ func NewDeploymentRecord(name, digest, version, logicalEnv, physicalEnv,
 // ValidateRuntimeRisk confirms if string is a valid runtime risk,
 // then returns the canonical runtime risk constant if valid, empty string otherwise.
 func ValidateRuntimeRisk(risk string) RuntimeRisk {
-	r := RuntimeRisk(strings.TrimSpace(risk))
-	switch r {
-	case CriticalResource, InternetExposed, LateralMovement, SensitiveData:
-		return r
-	default:
+	r := RuntimeRisk(strings.ToLower(strings.TrimSpace(risk)))
+	if !validRuntimeRisks[r] {
+		slog.Debug("Invalid runtime risk", "risk", risk)
 		return ""
 	}
+	return r
 }