feat(dagger): Allow to bypass policy checks on failures #1773
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
migmartri
reviewed
Jan 31, 2025
extras/dagger/main.go
Outdated
| // +optional | ||
| passphrase *dagger.Secret, | ||
| // Whether not fail if the policy check fails | ||
| exceptionBypassPolicyCheck bool, |
There was a problem hiding this comment.
it should, let me change it
There was a problem hiding this comment.
if it should? Why to change it? Did you test it?
There was a problem hiding this comment.
default is false, that should be enough, right?
There was a problem hiding this comment.
it might be required by the dagger CLI if you do not mark it as optional?
There was a problem hiding this comment.
$ dagger call -m . init --token env:CHAINLOOP_TOKEN --workflow-name core-to-fail --project-name core add-file-evidence --path ~/Downloads/scan-result-2.json push
✔ connect 0.2s
✔ load module 0.8s
✔ parsing command line arguments 0.0s
✔ setSecret(name: "b27c4f2aaee1fae9c8ead9c7e3e626af2cdf7a739ee86ce735485c45a47bad9d"): Secret! 0.0s
✔ Host.file(path: "/Users/javirln/Downloads/scan-result-2.json"): File! 0.0s
✔ chainloop: Chainloop! 0.0s
✔ .init(
│ │ projectName: "core"
│ │ token: ✔ setSecret(name: "b27c4f2aaee1fae9c8ead9c7e3e626af2cdf7a739ee86ce735485c45a47bad9d"): Secret! 0.0s
│ │ workflowName: "core-to-fail"
│ ): ChainloopAttestation! 3.6s
✔ .addFileEvidence(
│ │ path: ✔ Host.file(path: "/Users/javirln/Downloads/scan-result-2.json"): File! 0.0s
│ ): ChainloopAttestation! 2.9s
✘ .push: String! 3.0s
! process "/chainloop attestation push --attestation-id f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7" did not complete successfully: exit code: 3
│ ✔ Container.withEnvVariable(name: "DAGGER_CACHE_KEY", value: "2025-01-31 10:52:48.946511421 +0000 UTC"): Container! 0.0s
│ ✔ .withSecretVariable(
│ │ │ name: "CHAINLOOP_TOKEN"
│ │ │ secret: ✔ setSecret(name: "b27c4f2aaee1fae9c8ead9c7e3e626af2cdf7a739ee86ce735485c45a47bad9d"): Secret! 0.0s
│ │ ): Container! 0.0s
│ ✔ .withEnvVariable(name: "DAGGER_CACHE_KEY", value: "2025-01-31 10:52:48.94660763 +0000 UTC"): Container! 0.0s
│ ✘ .withExec(args: ["attestation", "push", "--attestation-id", "f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7"], useEntrypoint: true): Container! 2.8s
│ ┃ │ Policies │ ------ │
│ ┃ │ │ sbom-present: missing SBOM material │
│ ┃ └───────────────────────────┴─────────────────────────────────────────────────────────────────────────┘
│ ┃ ┌────────────────────────────────────────────────────────────────────────────────────┐
│ ┃ │ Materials │
│ ┃ ├──────────┬─────────────────────────────────────────────────────────────────────────┤
│ ┃ │ Name │ material-1738320767593633421 │
│ ┃ │ Type │ SARIF │
│ ┃ │ Set │ Yes │
│ ┃ │ Required │ No │
│ ┃ │ Value │ scan-result-2.json │
│ ┃ │ Digest │ sha256:3bf2930aba610591419889f2a701c708e496c21626858338c13e67697d3bb996 │
│ ┃ └──────────┴─────────────────────────────────────────────────────────────────────────┘
│ ┃ ┌────────────────────────────────────┐
│ ┃ │ Runner context │
│ ┃ ├─────────────────────────┬──────────┤
│ ┃ │ CHAINLOOP_DAGGER_CLIENT │ v0.156.0 │
│ ┃ └─────────────────────────┴──────────┘
│ ┃ ERR the operator requires all policies to pass before continuing, please fix them and try again or temporarily bypass the policy check using --exception_bypass_policy_check
│ ! process "/chainloop attestation push --attestation-id f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7" did not complete successfully: exit code: 3
│ ✘ .stdout: String! 2.9s
│ ! process "/chainloop attestation push --attestation-id f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7" did not complete successfully: exit code: 3
Error logs:
✘ .withExec(args: ["attestation", "push", "--attestation-id", "f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7"], useEntrypoint: true): Container! 2.8s
INF push completed
┌───────────────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Initialized At │ 31 Jan 25 10:52 UTC │
├───────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Attestation ID │ f3f1e3ac-f7da-4a34-bf8b-a970a817d1a7 │
│ Digest │ sha256:1779707d1b8bcd505b5f53fcbc55ac1b1e42ce469a1d6c3c49608c68ae31cfdb │
│ Organization │ javi-demo │
│ Name │ core-to-fail │
│ Project │ core │
│ Version │ none │
│ Contract │ core-to-fail (revision 1) │
│ Policy violation strategy │ ENFORCED │
│ Policies │ ------ │
│ │ sbom-present: missing SBOM material │
└───────────────────────────┴─────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────┐
│ Materials │
├──────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name │ material-1738320767593633421 │
│ Type │ SARIF │
│ Set │ Yes │
│ Required │ No │
│ Value │ scan-result-2.json │
│ Digest │ sha256:3bf2930aba610591419889f2a701c708e496c21626858338c13e67697d3bb996 │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────┐
│ Runner context │
├─────────────────────────┬──────────┤
│ CHAINLOOP_DAGGER_CLIENT │ v0.156.0 │
└─────────────────────────┴──────────┘
ERR the operator requires all policies to pass before continuing, please fix them and try again or temporarily bypass the policy check using --exception_bypass_policy_check
With the flag:
$ dagger call -m . init --token env:CHAINLOOP_TOKEN --workflow-name core-to-fail --project-name core add-file-evidence --path ~/Downloads/scan-result-2.json push --exception-bypass-policy-check
✔ connect 0.2s
✔ load module 1.0s
✔ parsing command line arguments 0.0s
✔ Host.file(path: "/Users/javirln/Downloads/scan-result-2.json"): File! 0.0s
✔ setSecret(name: "b27c4f2aaee1fae9c8ead9c7e3e626af2cdf7a739ee86ce735485c45a47bad9d"): Secret! 0.0s
✔ chainloop: Chainloop! 0.0s
✔ .init(
│ │ projectName: "core"
│ │ token: ✔ setSecret(name: "b27c4f2aaee1fae9c8ead9c7e3e626af2cdf7a739ee86ce735485c45a47bad9d"): Secret! 0.0s
│ │ workflowName: "core-to-fail"
│ ): ChainloopAttestation! 3.3s
✔ .addFileEvidence(
│ │ path: ✔ Host.file(path: "/Users/javirln/Downloads/scan-result-2.json"): File! 0.0s
│ ): ChainloopAttestation! 3.1s
✔ .push(exceptionBypassPolicyCheck: true): String! 3.1s
┌───────────────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Initialized At │ 31 Jan 25 10:53 UTC │
├───────────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Attestation ID │ 96eececa-ecf0-4e38-964f-308995541a58 │
│ Digest │ sha256:7ef14d8d7fd3c382cb7363fed95cea731cfd42b12cab18f3ad59af64a9b09c3b │
│ Organization │ javi-demo │
│ Name │ core-to-fail │
│ Project │ core │
│ Version │ none │
│ Contract │ core-to-fail (revision 1) │
│ Policy violation strategy │ ENFORCED │
│ Policies │ ------ │
│ │ sbom-present: missing SBOM material │
└───────────────────────────┴─────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────┐
│ Materials │
├──────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name │ material-1738320807793137217 │
│ Type │ SARIF │
│ Set │ Yes │
│ Required │ No │
│ Value │ scan-result-2.json │
│ Digest │ sha256:3bf2930aba610591419889f2a701c708e496c21626858338c13e67697d3bb996 │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────┐
│ Runner context │
├─────────────────────────┬──────────┤
│ CHAINLOOP_DAGGER_CLIENT │ v0.156.0 │
└─────────────────────────┴──────────┘
Setup tracing at https://dagger.cloud/traces/setup. To hide set DAGGER_NO_NAG=1
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
jiparis
approved these changes
Jan 31, 2025
| if passphrase != nil { | ||
| container = container.WithSecretVariable("CHAINLOOP_SIGNING_PASSWORD", passphrase) | ||
| } | ||
| if exceptionBypassPolicyCheck != nil && *exceptionBypassPolicyCheck { |
There was a problem hiding this comment.
very nit: this is basically the same as not using a pointer and just checking for its true value
There was a problem hiding this comment.
I think it needs to be a pointer because it's marked as optional for dagger
migmartri
reviewed
Jan 31, 2025
| passphrase *dagger.Secret, | ||
| // Whether not fail if the policy check fails | ||
| // +optional | ||
| exceptionBypassPolicyCheck *bool, |
There was a problem hiding this comment.
thanks @javirln for checking, so just so I understand moving forward. Is it required to have the +optional annotation in front of each optional value?
There was a problem hiding this comment.
As far as I have it understood, yes, see the docs here: https://docs.dagger.io/api/arguments/#optional-arguments
Function arguments can be marked as optional. In this case, the Dagger CLI will not display an error if the argument is omitted in the function call.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch allows the dagger module to receive the
exception-bypass-policy-checkflag to avoid failing theattestation pushcommand if any of the policies in the contract hasn't been met.