feat(policies): add description field and split findings for backward compat#2988
Merged
migmartri merged 5 commits intoApr 6, 2026
Merged
Conversation
Also fix forward compatibility by using DiscardUnknown in protojson unmarshal so older CLIs gracefully ignore fields from newer policies. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
javirln
approved these changes
Apr 6, 2026
jiparis
approved these changes
Apr 6, 2026
…atibility Move structured violation objects from violations to a new findings field in the policy result. When findings is present it fully replaces violations, which reverts to strings-only matching pre-structured behavior. Old CLIs ignore the unknown findings key and continue to parse string violations without errors. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
There was a problem hiding this comment.
1 issue found across 9 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/policies/engine/rego/rego.go">
<violation number="1" location="pkg/policies/engine/rego/rego.go:236">
P2: This change introduces a compatibility break: legacy `violations` no longer accepts structured objects, so existing policies using object-form violations will now fail parsing.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
Keep accepting structured objects (maps) in the violations field as a deprecated path while policies are migrated to use the new findings field. This avoids breaking existing policies that already return structured violation objects. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
- Fix behavioral divergence between Rego and WASM engines for empty findings: both now use len>0 check consistently - Gracefully handle missing violations when findings is absent (no default findings array required in policies) - Pre-allocate violations slice in WASM engine - Trim redundant deprecation comments Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
There was a problem hiding this comment.
1 issue found across 2 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pkg/policies/engine/rego/rego.go">
<violation number="1" location="pkg/policies/engine/rego/rego.go:227">
P1: Malformed `violations` values are now silently ignored, which can let invalid policy results pass with zero violations.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
Return string violations (what old CLIs see) and structured findings separately in policy eval output, making it clear what each CLI version would receive. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
descriptionfield toPolicyVulnerabilityFindingproto for richer vulnerability contextDiscardUnknownin protojson unmarshal so older CLIs ignore unrecognized fields instead of failingfindingsfield in policy result output, keepingviolationsas strings-only for backward compatibility with older CLIs that don't support structured violationsrefs #2979