-
Notifications
You must be signed in to change notification settings - Fork 298
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failure vs successes counts are inconsistent #731
Comments
Hi @consolethinks I'm not able to reproduce this issue with conftest v0.33.2. Please provide snippets and the exact conftest command you are using so I can reproduce the issue. |
After doing some testing, it's not related to namespaces after all. One policy in a specific namespace seems to be the culprit. To reproduce my issue, I'm giving an example terraform plan outputted as json: And here are two policies: package common
key_val_valid_pascal_case(key, val) {
is_pascal_case(key)
is_pascal_case(val)
}
is_pascal_case(string) {
re_match(`^([A-Z][a-z0-9]+)+`, string)
}
deny[msg] {
changeset := input.resource_changes[_]
tags := changeset.change.after.tags
some key
not is_pascal_case(tags[key])
msg := sprintf("general - Non-pascal case value in tags - %v - key: %v, value: %v", [changeset.address, key, tags[key]])
}
deny[msg] {
false
msg := ""
} The following command is used: If the first policy fails for multiple resources, it will make Conftest say that there are 0 passing tests. If it is disablbed (by renaming the first deny to something else for example), Conftest will show one passing test. |
Thank you for the extra info, I have been able to reproduce the issue though the cause is not immediately clear. |
I've spent a little time digging and better understand the issue now. The root of the problem is due to the nature of OPA/Rego and the fact that rules are queried by name and the results are unioned. While conftest can know that there are multiple The best way forward if these counts matter to your use case is to have only one Lines 314 to 346 in 3aada8c
Lines 58 to 105 in 3aada8c
|
Conftest doesn't count passed tests in the total amount of tests, or number of passed tests when the policy is not in the
main
namespace. It comes across as if the test doesn't even exist when it passes.If, for example, I have a
common
namespace and asafety
namespace, in addition to themain
namespace, and I either pass--all-namespaces
or list them separately using--namespace [name]
, only the policies in themain
namespace will have its passed policies counted, any other namespaces' passed policies will be ignored from the total and passed counts.The text was updated successfully, but these errors were encountered: