Skip to content

[codex] Add policy decision explanation fields#43

Merged
stacknil merged 1 commit into
mainfrom
codex/add-policy-decision-explanation-fields
May 9, 2026
Merged

[codex] Add policy decision explanation fields#43
stacknil merged 1 commit into
mainfrom
codex/add-policy-decision-explanation-fields

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented May 9, 2026

Brief Design Summary

This PR adds additive policy decision explanation fields to sbom-diff-and-risk JSON policy finding objects.

Policy findings now include stable machine-readable metadata for local policy decisions:

  • decision_reason
  • policy_rule
  • severity_source
  • matched_threshold
  • observed_value

The implementation extends the existing PolicyViolation and policy_violation_to_dict() path, so policy_evaluation.*_violations, top-level policy finding arrays, and provenance policy impact sections stay consistent without introducing a second schema.

This is additive and backward-compatible. It does not change exit codes, CLI flags, Markdown output, SARIF output, workflow behavior, network behavior, CVE behavior, or package version.

Files Changed

  • tools/sbom-diff-and-risk/src/sbom_diff_risk/policy_models.py
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/policy_evaluator.py
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/presentation.py
  • tools/sbom-diff-and-risk/tests/test_policy.py
  • tools/sbom-diff-and-risk/tests/test_reports.py
  • tools/sbom-diff-and-risk/examples/sample-policy-warn-report.json
  • tools/sbom-diff-and-risk/examples/sample-policy-fail-report.json
  • tools/sbom-diff-and-risk/examples/sample-provenance-report.json
  • tools/sbom-diff-and-risk/examples/sample-scorecard-report.json
  • tools/sbom-diff-and-risk/docs/report-schema.md

Tests Added/Updated

Added focused coverage for:

  • explanation fields on blocking, default-threshold, warning, and suppressed policy findings
  • explanation fields appearing on policy finding objects only, not raw risks
  • deterministic policy output ordering
  • unchanged summary.policy behavior

Updated JSON golden samples for affected policy, provenance, and Scorecard report paths.

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

  • python -m pytest: 157 passed
  • python -m build: built sbom_diff_and_risk-0.7.0 wheel and sdist
  • python -m twine check $files: wheel and sdist passed
  • git diff --check: passed
  • package version remains 0.7.0
  • .github/workflows unchanged
  • no production PyPI workflow exists

Out of Scope

  • No exit code changes
  • No CLI flag changes
  • No Markdown output changes
  • No SARIF output changes
  • No workflow changes
  • No package version bump
  • No network behavior changes
  • No CVE lookup
  • No production PyPI workflow

@stacknil stacknil merged commit 0bbec96 into main May 9, 2026
9 checks passed
@stacknil stacknil deleted the codex/add-policy-decision-explanation-fields branch May 9, 2026 03:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil