Skip to content

feat(policies): add description field and split findings for backward compat#2988

Merged
migmartri merged 5 commits into
chainloop-dev:mainfrom
migmartri:feat/vuln-finding-description
Apr 6, 2026
Merged

feat(policies): add description field and split findings for backward compat#2988
migmartri merged 5 commits into
chainloop-dev:mainfrom
migmartri:feat/vuln-finding-description

Conversation

@migmartri

@migmartri migmartri commented Apr 6, 2026

Copy link
Copy Markdown
Member

Summary

  • Add optional description field to PolicyVulnerabilityFinding proto for richer vulnerability context
  • Fix forward compatibility: use DiscardUnknown in protojson unmarshal so older CLIs ignore unrecognized fields instead of failing
  • Split structured violation data into a new findings field in policy result output, keeping violations as strings-only for backward compatibility with older CLIs that don't support structured violations

refs #2979

Also fix forward compatibility by using DiscardUnknown in protojson
unmarshal so older CLIs gracefully ignore fields from newer policies.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri requested a review from a team April 6, 2026 10:23

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

Comment thread pkg/policies/findings/registry.go
…atibility

Move structured violation objects from violations to a new findings
field in the policy result. When findings is present it fully replaces
violations, which reverts to strings-only matching pre-structured
behavior. Old CLIs ignore the unknown findings key and continue to
parse string violations without errors.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri changed the title feat: add optional description to vulnerability findings feat(policies): add description field and split findings for backward compat Apr 6, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 9 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/policies/engine/rego/rego.go">

<violation number="1" location="pkg/policies/engine/rego/rego.go:236">
P2: This change introduces a compatibility break: legacy `violations` no longer accepts structured objects, so existing policies using object-form violations will now fail parsing.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread pkg/policies/engine/rego/rego.go Outdated
Keep accepting structured objects (maps) in the violations field as a
deprecated path while policies are migrated to use the new findings
field. This avoids breaking existing policies that already return
structured violation objects.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
- Fix behavioral divergence between Rego and WASM engines for empty
  findings: both now use len>0 check consistently
- Gracefully handle missing violations when findings is absent (no
  default findings array required in policies)
- Pre-allocate violations slice in WASM engine
- Trim redundant deprecation comments

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/policies/engine/rego/rego.go">

<violation number="1" location="pkg/policies/engine/rego/rego.go:227">
P1: Malformed `violations` values are now silently ignored, which can let invalid policy results pass with zero violations.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread pkg/policies/engine/rego/rego.go
Return string violations (what old CLIs see) and structured findings
separately in policy eval output, making it clear what each CLI
version would receive.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri merged commit 234ba8e into chainloop-dev:main Apr 6, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants