-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(report): Apply ignore policies from a directory #6338
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @dstrelbytskyi
Thanks for your work!
Left couple of notes.
Please take a look when you have time.
Regards, Dmitriy
# Conflicts: # pkg/result/filter.go
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dstrelbytskyi
Thanks for your work!
@knqyf263 take a look, when you have time, please.
Hey @DmitriyLewen . Is there any queue for the contributions to be reviewed/merged? |
Hello @dstrelbytskyi When @knqyf263 has time to check this PR, he will merge it. |
} | ||
|
||
if len(files) == 0 { | ||
log.Logger.Warnf("No ignore policies found in %q", policiesPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Logger.Warnf("No ignore policies found in %q", policiesPath) | |
log.Warn("No ignore policies found", log.String("dir", pliciesPath)) |
return err | ||
} | ||
|
||
for _, policyFile := range policyFiles { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO, loading all Rego files together and evaluating the policies collectively is more intuitive for Rego users than loading and repeatedly evaluating individual Rego files. The current implementation may not work correctly if variable definitions are spread across multiple files.
To address this, using the rego.Load()
function to load all Rego files from a directory recursively would be more appropriate. This ensures that all files are considered together, allowing for proper resolution of variables, rules, and dependencies.
However, since I've been away from OPA recently, I would greatly appreciate insights from @simar7 to ensure the correctness and effectiveness of this approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 I'd also like to mention that running .PrepareForEval()
(and the eventual evaluation itself) is an expensive operation. Doing it recursively on a directory that is user defined to load all files that match the Rego extension, whether relevant or not, can be costly.
However if we go down the route of loading all rego files via rego.Load()
as @knqyf263 mentioned, I'm not sure if we can have multiple checks that can contain the same default as the compiler will error out. Since Rego checks often contain defaults that result in "fail-close" type of checks, this would be a common occurrence (e.g. multiple checks having default allow=false
).
Maybe a safer route is to allow this flag to have values that can be a list of filenames rather than a directory? This would limit the scope of rego files that get loaded and evaluated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, we need to understand the use case precisely. @dstrelbytskyi Could you elaborate on it?
Description
This expands the
--ignore-policy
option functionality. If a directory path specified as the option value it recursively finds*.rego
files in the the directory and applies each found policy file for the results filtration.It's backward compatible, it can still take a single Rego file.
Checklist