-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: Fine-grained excludes #584
base: master
Are you sure you want to change the base?
Draft: Fine-grained excludes #584
Conversation
Signed-off-by: Hamish Hutchings <[email protected]>
Signed-off-by: Hamish Hutchings <[email protected]>
6c871e0
to
23f5a01
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any mileage in having exclusions actually modify the rule itself?
say you write something like:
exclude_name[vars] {
# we can't fix wid-get, its name is everywhere, just ignore it.
vars.name == "wid-get"
}
and then deny_name
is implicitly modified to look like this?
deny_name[msg] {
# unchanged:
input.resource[_][name]
contains(name, "-")
msg := func_name_msg(name)
# magic happens here:
not exclude_name({"name": name})
}
my thinking is you get access to the internal state of the rule, which means you can add arbitrary conditions
It's fragile, in that any changes to how the original rule works (including renaming variables) could break your exclusion, but then matching on messages is also fragile.
- Add New Example based on ticket (excludes2) - Refactor to allow for structured content being returned Signed-off-by: Hamish Hutchings <[email protected]>
- Refactor the terraform example Signed-off-by: Hamish Hutchings <[email protected]>
Signed-off-by: Hamish Hutchings <[email protected]>
0364035
to
373e658
Compare
Contextual exclusions will greatly improve quality of policies. Thank you for kickstarting this and for the PoC PR! I would like to offer one additional viewpoint, if I may... A lot of the cumbersomeness with contextual exclusions – is passing the context. The actual What if we never have to pass on the context, and the exclusion can be done inline – right where the context is? i.e. What if exclusion is not a separate construct, but a function. For example:
Would be awesome if the
|
Hi @moredhel. Friendly ping, please provide an update on the status of this PR. |
Hi @jalseth, Apologies for the late reply, have been on holiday the last few weeks. I have the following issue where I am asking for more general feedback on if this is a reasonable way to proceed #591 I'm still wanting this to go ahead, but would like to get some feedback for a member on how valuable this is (for myself I feel the current solution isn't flexible enough, so would appreciate the extra flexibility of what I'm proposing). Essentially lost of the work is done, outstanding tasks:
Let me know your thoughts and if you're happy I can push this through to be mergeable. |
Introduction
This PR is aiming to include an
exclusions
keyword which would allow more fine-grained control over which policies to deny. The currentexception
blocks will apply to an entire file, rather than a single entity within that file.This PR aims to expand the functionality of conftest to allow for excluding a single deny instance of a policy within a file. This should bring assumed the functionality of conftest (exceptions) and the actual functionality in-line (via excludes).
Outstanding
This is an initial PoC/thought process on how to do fine-grained Exclusions of policies.
There are currently some limitations that come with it:
such as having to recreate themsg
from both thedeny/warn
rule & theexclusion
rule.The(More a feature than a limitation)exclusion_<name>
section must match with the correspondingdeny_<name>
that you would like to have match the exceptions against.Examples
I've included a sample inexamples/exceptions2
which details some policies, a working exception & a working exclusion.see for examples:
examples/excludes
examples/excludes2
You can run it similarly to in the tests:
The aim of this PR is to open discussion on a potential avenue towards having more fine-grained exclusions within conftest.
Have a play with it & let me know what your thoughts are.
Decisions / points of discussion