Skip to content

feat: add skip field to policy group attachments #2564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 20, 2025
Merged

feat: add skip field to policy group attachments #2564

merged 8 commits into from
Nov 20, 2025

Conversation

@migmartri
Copy link
Member

@migmartri migmartri commented Nov 18, 2025

Summary

Add support for explicitly disabling specific policies within a policy group by specifying their metadata names in a skip list.

Users can now selectively exclude policies from evaluation without modifying the policy group itself by adding a skip field to policy group attachments in workflow contracts.

Implementation

  • Added skip field to PolicyGroupAttachment protobuf message
  • Implemented policy name resolution for both embedded and referenced policies
  • Filtered skipped policies in material and attestation evaluation paths
  • Added validation with warnings for non-existent policy names
  • Comprehensive test coverage for all skip scenarios

Usage

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: example-contract
spec:
  policyGroups:
    - ref: file://groups/sbom-quality-group.yaml
      with:
        bannedComponents: log4j@2.14.1
      skip:
        - sbom-present
        - my-other-policy

Behavior

  • Policies are matched by their metadata.name field
  • Works for both material and attestation policies
  • Unknown policy names in skip list generate warnings but allow execution to continue
  • Empty skip list has no effect on evaluation

Closes #2557

@migmartri
feat: add skip field to policy group attachments
ad9d2a2 
Add support for explicitly disabling specific policies within a policy group
by specifying their metadata names in a skip list. This allows users to
selectively exclude policies from evaluation without modifying the policy
group itself.

Changes:
- Add skip field to PolicyGroupAttachment protobuf message
- Implement getPolicyName() helper to extract policy names from attachments
- Filter skipped policies in both material and attestation evaluation paths
- Add validateSkipList() to warn about non-existent policy names
- Add comprehensive test coverage for skip functionality

Example usage:
```yaml
policyGroups:
  - ref: file://groups/sbom-quality.yaml
    with:
      bannedLicenses: AGPL-3.0
    skip:
      - sbom-present
      - license-check
```

Policies are matched by metadata.name. Unknown policy names in the skip list
generate warnings but allow execution to continue.

Closes chainloop-dev#2557

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested a review from jiparis November 18, 2025 18:08
@migmartri
refactor: make validateSkipList return error for reusability
d5c7c3b 
Change validateSkipList() to return an error instead of logging warnings
directly. This allows the function to be reused in contexts where validation
errors should block execution, while still supporting the current behavior
of logging warnings and continuing.

Changes:
- Update validateSkipList() to collect unknown policy names and return error
- Callers in VerifyMaterial() and VerifyStatement() log errors as warnings
- Add comprehensive tests for validateSkipList() error returns
- All existing tests continue to pass

The current user-facing behavior is unchanged: unknown policy names generate
warnings but do not block execution.

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
chore: improve skip list validation warning message
726ab69 
Update the warning log message to be more user-friendly. The error object
already contains the group name and list of unknown policies, so the message
now clearly indicates what the issue is.

Changed message from "skip list validation warning" to "some policies in
skip list were not found in the policy group". The error details include
the specific policy names and group name.

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri marked this pull request as ready for review November 19, 2025 22:04
@migmartri
chore: upgrade ent golang
29e7644 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested a review from javirln November 19, 2025 22:23
@migmartri
Copy link
Member Author

migmartri commented Nov 19, 2025

@jiparis ready to review, tested it locally :)

migmartri
migmartri commented Nov 19, 2025
View reviewed changes
app/controlplane/configs/config.devel.yaml
- name: chainloop
default: true
url: http://localhost:8002/v1
# policy_providers:
Copy link
Member Author

@migmartri migmartri Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was added by mistake in another PR

jiparis
jiparis reviewed Nov 20, 2025
View reviewed changes
pkg/policies/policy_groups.go Outdated
}

// Validate skip list and log warnings for unknown policy names
if err := pgv.validateSkipList(ctx, group, groupAtt); err != nil {
Copy link
Member

@jiparis jiparis Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this call is overloading the verification step, since it's downloading all policies just to get their names. Verification is also downloading them in the same call.
I'd suggest skipping the validation at this point, since it has no effect. It could probably be moved to att init or contract command line options.
Another option / improvement would be to preload all policies in advance so that they can be used for the validation and for the verification.

Same comment for VerifyMaterial

Copy link
Member Author

@migmartri migmartri Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good catch, I think you are right, not worth the tradeoff at runtime indeed

jiparis
jiparis approved these changes Nov 20, 2025
View reviewed changes
Copy link
Member

@jiparis jiparis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accepting, but check my comment please. I think it's important for a good user experience.

@migmartri
chore: upgrade ent golang
bf5038d 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
jiparis
jiparis reviewed Nov 20, 2025
View reviewed changes
@migmartri
chore: upgrade ent golang
fbbb39f 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
chore: upgrade ent golang
f63f376 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
chore: upgrade ent golang
0bef665 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit d5fa48f into chainloop-dev:main Nov 20, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis jiparis approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

support a way to explicitly disable policies in a group

2 participants

@migmartri @jiparis