add structured logging to PURL and sigstore Rego builtins

[robnester-rh]

Add log.WithField("function", ...) to PURL and sigstore custom Rego builtin functions to ease troubleshooting. This follows the same pattern already used in the OCI builtin functions.

Functions updated:

• ec.purl.is_valid
• ec.purl.parse
• ec.sigstore.verify_image
• ec.sigstore.verify_attestation

Ref: EC-1668
Resolves: #1361

[qodo-code-review]

Review Summary by Qodo

Add structured logging to PURL and sigstore Rego builtins

✨ Enhancement

Walkthroughs

Description

• Add structured logging to PURL builtin functions using log.WithField pattern
• Add structured logging to sigstore builtin functions with context fields
• Import logrus package in sigstore module for logging support
• Replace unstructured log calls with field-based logging for better debugging

Diagram

flowchart LR
  A["PURL Functions<br/>is_valid, parse"] -->|"Add log.WithField<br/>function name"| B["Structured Logging"]
  C["Sigstore Functions<br/>verify_image, verify_attestation"] -->|"Add log.WithField<br/>function name"| B
  B -->|"Include context fields<br/>purl, ref, error, counts"| D["Enhanced Debugging"]

Loading

File Changes

1. internal/rego/purl/purl.go ✨ Enhancement +14/-2

Add structured logging to PURL functions

• Add structured logging with log.WithField("function", ...) to purlIsValid function
• Add structured logging with log.WithField("function", ...) to purlParse function
• Replace unstructured log.Debugf and log.Errorf calls with field-based logging
• Add contextual fields like purl and error to log messages for better traceability

internal/rego/purl/purl.go

---

2. internal/rego/sigstore/sigstore.go ✨ Enhancement +17/-0

Add structured logging to sigstore functions

• Import logrus package for structured logging support
• Add structured logging with log.WithField("function", ...) to sigstoreVerifyImage function
• Add structured logging with log.WithField("function", ...) to sigstoreVerifyAttestation
 function
• Add contextual fields like ref, error, and result counts to log messages throughout both
 functions

internal/rego/sigstore/sigstore.go

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (2) 📎 Requirement gaps (1)

1. Missing rfunc log field 📎 Requirement gap ✧ Quality

Description

The updated PURL Rego builtins enrich logs with field function instead of the required rfunc,
reducing traceability consistency across builtin logs. This violates the requirement for a
consistent logger field identifying the Rego function name.

Code

internal/rego/purl/purl.go[111]

+	logger := log.WithField("function", purlIsValidName)

Evidence

PR Compliance ID 7 requires adding a consistent rfunc field identifying the builtin function name,
but the added loggers use WithField("function", ...) in the modified PURL builtins.

All custom Rego builtin functions include a logger field identifying the Rego function name
internal/rego/purl/purl.go[111-111]
internal/rego/purl/purl.go[130-130]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PURL custom Rego builtins add a logger field named `function`, but compliance requires a consistent field `rfunc` set to the builtin function name.

## Issue Context
Compliance requires using an enriched logger with a consistent field name (`rfunc`) for traceability across all custom Rego builtin logs.

## Fix Focus Areas
- internal/rego/purl/purl.go[111-145]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Raw PURL logged in debug 📘 Rule violation ⛨ Security

Description

The PURL input is logged verbatim as a structured field, which may contain sensitive or
user-provided data (e.g., qualifiers with URLs/tokens) and can leak into logs. This risks violating
the requirement that logs contain no sensitive data at any log level.

Code

internal/rego/purl/purl.go[118]

+	logger = logger.WithField("purl", string(uri))

Evidence

PR Compliance ID 5 requires that no sensitive data is present in logs; the modified code logs the
full raw purl input string without any redaction/sanitization.

Rule 5: Generic: Secure Logging Practices
internal/rego/purl/purl.go[118-118]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The code logs the full PURL string (`purl`) directly, which can unintentionally include sensitive or user-provided data in logs.

## Issue Context
Secure logging requires that sensitive data is not present in logs at any level. PURLs may include qualifiers that could embed URLs or tokens depending on usage.

## Fix Focus Areas
- internal/rego/purl/purl.go[118-118]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Raw image ref logged 📘 Rule violation ⛨ Security

Description

The sigstore builtins log the full image reference string as ref, which may reveal sensitive
environment details (e.g., private registry/repository identifiers) and is unredacted external
input. This can conflict with the requirement to avoid sensitive data in logs.

Code

internal/rego/sigstore/sigstore.go[121]

+	logger = logger.WithField("ref", string(uri))

Evidence

PR Compliance ID 5 prohibits sensitive data in logs; the modified code logs the full ref string
provided to the builtin without redaction or minimization.

Rule 5: Generic: Secure Logging Practices
internal/rego/sigstore/sigstore.go[121-121]
internal/rego/sigstore/sigstore.go[190-190]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The code logs the full image reference string (`ref`) directly, which may expose private registry/repo identifiers or other sensitive context.

## Issue Context
Secure logging requires avoiding sensitive data in logs at any log level; external inputs should be minimized or redacted.

## Fix Focus Areas
- internal/rego/sigstore/sigstore.go[121-121]
- internal/rego/sigstore/sigstore.go[190-190]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

❌ Patch coverage is 92.30769% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/rego/sigstore/sigstore.go	87.50%	2 Missing ⚠️

Flag	Coverage Δ
acceptance	55.55% <61.53%> (-0.01%)	⬇️
generative	18.51% <0.00%> (-0.04%)	⬇️
integration	27.49% <0.00%> (-0.06%)	⬇️
unit	68.43% <92.30%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/rego/purl/purl.go	100.00% <100.00%> (ø)
internal/rego/sigstore/sigstore.go	93.62% <87.50%> (-0.53%)	⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.