feat(policies): add suppressed_findings to policy evaluation result

[migmartri]

Summary

• Adds a new top-level suppressed_findings key on the policy evaluation result, alongside the existing findings and violations.
• Items in suppressed_findings use the same Rego object schema as items in findings (e.g. PolicyVulnerabilityFinding), and the invariant is that every entry in suppressed_findings also appears in findings.
• Adds two new optional correlation fields on the three finding proto types (PolicyVulnerabilityFinding, PolicySASTFinding, PolicyLicenseViolationFinding): chainloop_finding_id and chainloop_assessment_ids, used by policies to reference the platform-side finding and the assessments that drove the suppression.
• Surfaces the new field through both the Rego and WASM engine result parsers as EvaluationResult.SuppressedFindings.

Closes #3091

This change does not yet wire suppressed_findings into the ingestion pipeline; downstream consumers can ignore it until follow-up work lands.

Assisted-by: Claude Code

[cubic-dev-ai]

1 issue found across 14 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/policies/engine/rego/testfiles/suppressed_findings.rego">

<violation number="1" location="pkg/policies/engine/rego/testfiles/suppressed_findings.rego:53">
P2: Handle the optional correlation fields without direct dereferences; otherwise omitted fields make the suppressed finding undefined and it disappears.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[migmartri]

superssed findinfgs might be added even if ew don't have findings

[migmartri]

Right — fixed in 0bbe6de. Reworked the model so suppressed_findings are disjoint from findings (a vulnerability is either a finding or a suppressed finding, never both) and parsing now happens independently of the findings branch, so a policy can emit suppressed_findings without any findings. Also added a new suppressed_findings repeated field on the PolicyEvaluation proto so they survive into the CAS bundle.

[cubic-dev-ai]

1 issue found across 12 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/policies/engine/rego/rego_test.go">

<violation number="1" location="pkg/policies/engine/rego/rego_test.go:752">
P1: The test now enforces that `suppressed_findings` are disjoint from `findings`, which contradicts the feature contract that suppressed findings should also be present in findings.</violation>
</file>

_{Tip: Review your code locally with the cubic CLI to iterate faster.
Fix all with cubic.}

[cubic-dev-ai]

P1: The test now enforces that suppressed_findings are disjoint from findings, which contradicts the feature contract that suppressed findings should also be present in findings.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At pkg/policies/engine/rego/rego_test.go, line 752:

<comment>The test now enforces that `suppressed_findings` are disjoint from `findings`, which contradicts the feature contract that suppressed findings should also be present in findings.</comment>

<file context>
@@ -741,7 +749,7 @@ func TestRego_SuppressedFindings(t *testing.T) {
 				require.NotNil(t, sv.RawFinding)
 				id, _ := sv.RawFinding["external_id"].(string)
-				assert.True(t, findingIDs[id], "suppressed finding %q must also appear in findings", id)
+				assert.False(t, findingIDs[id], "suppressed finding %q must NOT also appear in findings", id)
 			}
 
</file context>

_{Tip: Review your code locally with the cubic CLI to iterate faster.}