Skip to content

feat: add skip field to policy group attachments #2564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add skip field to policy group attachments #2564

wants to merge 4 commits into from

Conversation

@migmartri
Copy link
Member

@migmartri migmartri commented Nov 18, 2025

Summary

Add support for explicitly disabling specific policies within a policy group by specifying their metadata names in a skip list.

Users can now selectively exclude policies from evaluation without modifying the policy group itself by adding a skip field to policy group attachments in workflow contracts.

Implementation

  • Added skip field to PolicyGroupAttachment protobuf message
  • Implemented policy name resolution for both embedded and referenced policies
  • Filtered skipped policies in material and attestation evaluation paths
  • Added validation with warnings for non-existent policy names
  • Comprehensive test coverage for all skip scenarios

Usage

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: example-contract
spec:
  policyGroups:
    - ref: file://groups/sbom-quality-group.yaml
      with:
        bannedComponents: [email protected]
      skip:
        - sbom-present
        - my-other-policy

Behavior

  • Policies are matched by their metadata.name field
  • Works for both material and attestation policies
  • Unknown policy names in skip list generate warnings but allow execution to continue
  • Empty skip list has no effect on evaluation

Closes #2557

@migmartri
feat: add skip field to policy group attachments
ad9d2a2 
Add support for explicitly disabling specific policies within a policy group
by specifying their metadata names in a skip list. This allows users to
selectively exclude policies from evaluation without modifying the policy
group itself.

Changes:
- Add skip field to PolicyGroupAttachment protobuf message
- Implement getPolicyName() helper to extract policy names from attachments
- Filter skipped policies in both material and attestation evaluation paths
- Add validateSkipList() to warn about non-existent policy names
- Add comprehensive test coverage for skip functionality

Example usage:
```yaml
policyGroups:
  - ref: file://groups/sbom-quality.yaml
    with:
      bannedLicenses: AGPL-3.0
    skip:
      - sbom-present
      - license-check
```

Policies are matched by metadata.name. Unknown policy names in the skip list
generate warnings but allow execution to continue.

Closes chainloop-dev#2557

Signed-off-by: Miguel Martinez <[email protected]>
@migmartri migmartri requested a review from jiparis November 18, 2025 18:08
@migmartri
refactor: make validateSkipList return error for reusability
d5c7c3b 
Change validateSkipList() to return an error instead of logging warnings
directly. This allows the function to be reused in contexts where validation
errors should block execution, while still supporting the current behavior
of logging warnings and continuing.

Changes:
- Update validateSkipList() to collect unknown policy names and return error
- Callers in VerifyMaterial() and VerifyStatement() log errors as warnings
- Add comprehensive tests for validateSkipList() error returns
- All existing tests continue to pass

The current user-facing behavior is unchanged: unknown policy names generate
warnings but do not block execution.

Signed-off-by: Miguel Martinez <[email protected]>
@migmartri
chore: improve skip list validation warning message
726ab69 
Update the warning log message to be more user-friendly. The error object
already contains the group name and list of unknown policies, so the message
now clearly indicates what the issue is.

Changed message from "skip list validation warning" to "some policies in
skip list were not found in the policy group". The error details include
the specific policy names and group name.

Signed-off-by: Miguel Martinez <[email protected]>
@migmartri migmartri marked this pull request as ready for review November 19, 2025 22:04
@migmartri
chore: upgrade ent golang
29e7644 
Signed-off-by: Miguel Martinez <[email protected]>
@migmartri migmartri requested a review from javirln November 19, 2025 22:23
@migmartri
Copy link
Member Author

migmartri commented Nov 19, 2025

@jiparis ready to review, tested it locally :)

migmartri
migmartri commented Nov 19, 2025
View reviewed changes
app/controlplane/configs/config.devel.yaml
- name: chainloop
default: true
url: http://localhost:8002/v1
# policy_providers:
Copy link
Member Author

@migmartri migmartri Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was added by mistake in another PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

support a way to explicitly disable policies in a group

1 participant

@migmartri