Documentation
¶
Index ¶
- func ExtractStringFromMetadata(result Result, key string) string
- type ConfigProvider
- type Criteria
- type Data
- type DefaultFilterFactory
- type EvaluationTarget
- type Evaluator
- func NewConftestEvaluator(ctx context.Context, policySources []source.PolicySource, p ConfigProvider, ...) (Evaluator, error)
- func NewConftestEvaluatorWithNamespace(ctx context.Context, policySources []source.PolicySource, p ConfigProvider, ...) (Evaluator, error)
- func NewOPAEvaluator() (Evaluator, error)
- type FilterFactory
- type IncludeFilterFactory
- type IncludeListFilter
- type NamespaceFilter
- type Outcome
- type PipelineIntentionFilter
- type Result
- type RuleFilter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractStringFromMetadata ¶
ExtractStringFromMetadata returns the string value from the result metadata at the given key.
Types ¶
type ConfigProvider ¶
type ConfigProvider interface {
EffectiveTime() time.Time
SigstoreOpts() (policy.SigstoreOpts, error)
Spec() ecc.EnterpriseContractPolicySpec
}
ConfigProvider is a subset of the policy.Policy interface. Its purpose is to codify which parts of Policy are actually used and to make it easier to use mock in tests.
type Criteria ¶
type Criteria struct {
// contains filtered or unexported fields
}
contains include/exclude items digestItems stores include/exclude items that are specific with an imageRef - the imageRef is the key, value is the policy to include/exclude. defaultItems are include/exclude items without an imageRef
type DefaultFilterFactory ¶ added in v0.7.127
type DefaultFilterFactory struct{}
DefaultFilterFactory creates filters based on the source configuration. It handles two main filtering mechanisms: 1. Pipeline intention filtering - based on rule metadata 2. Include list filtering - based on explicit package/collection names
func (*DefaultFilterFactory) CreateFilters ¶ added in v0.7.127
func (f *DefaultFilterFactory) CreateFilters(source ecc.Source) []RuleFilter
CreateFilters builds a list of filters based on the source configuration.
The filtering logic follows these rules: 1. Pipeline Intention Filtering:
- When pipeline_intention is set in ruleData: only include packages with rules that have matching pipeline_intention metadata
- When pipeline_intention is NOT set in ruleData: only include packages with rules that have NO pipeline_intention metadata (general-purpose rules)
2. Include List Filtering:
- When includes are specified: only include packages that match the include criteria
- Supports @collection, package names, and package.rule patterns
3. Combined Logic:
- All filters are applied with AND logic - a package must pass ALL filters
- This allows fine-grained control over which rules are evaluated
type EvaluationTarget ¶
type Evaluator ¶
type Evaluator interface {
Evaluate(ctx context.Context, target EvaluationTarget) ([]Outcome, error)
// Destroy performs any cleanup needed
Destroy()
// CapabilitiesPath returns the path to the file where capabilities are defined
CapabilitiesPath() string
}
func NewConftestEvaluator ¶
func NewConftestEvaluator(ctx context.Context, policySources []source.PolicySource, p ConfigProvider, source ecc.Source) (Evaluator, error)
NewConftestEvaluator returns initialized conftestEvaluator implementing Evaluator interface
func NewConftestEvaluatorWithNamespace ¶
func NewConftestEvaluatorWithNamespace(ctx context.Context, policySources []source.PolicySource, p ConfigProvider, source ecc.Source, namespace []string) (Evaluator, error)
set the policy namespace
func NewOPAEvaluator ¶
type FilterFactory ¶ added in v0.7.127
type FilterFactory interface {
CreateFilters(source ecc.Source) []RuleFilter
}
FilterFactory builds a slice of filters for a given `ecc.Source`.
Multiple filters can be applied simultaneously using AND logic - all filters must approve a package for it to be included in the evaluation set.
func NewDefaultFilterFactory ¶ added in v0.7.127
func NewDefaultFilterFactory() FilterFactory
func NewIncludeFilterFactory ¶ added in v0.7.127
func NewIncludeFilterFactory() FilterFactory
type IncludeFilterFactory ¶ added in v0.7.127
type IncludeFilterFactory struct{}
func (*IncludeFilterFactory) CreateFilters ¶ added in v0.7.127
func (f *IncludeFilterFactory) CreateFilters(source ecc.Source) []RuleFilter
CreateFilters builds a list of filters based on the source configuration.
The filtering logic follows these rules: 1. Pipeline Intention Filtering:
- When pipeline_intention is set in ruleData: only include packages with rules that have matching pipeline_intention metadata
- When pipeline_intention is NOT set in ruleData: only include packages with rules that have NO pipeline_intention metadata (general-purpose rules)
2. Include List Filtering:
- When includes are specified: only include packages that match the include criteria
- Supports @collection, package names, and package.rule patterns
3. Combined Logic:
- All filters are applied with AND logic - a package must pass ALL filters
- This allows fine-grained control over which rules are evaluated
type IncludeListFilter ¶ added in v0.7.127
type IncludeListFilter struct {
// contains filtered or unexported fields
}
IncludeListFilter filters packages based on explicit include criteria.
This filter provides fine-grained control over which packages are evaluated by allowing explicit specification of packages, collections, or individual rules.
Supported patterns: - "@collection" - includes any package with rules that belong to the specified collection - "package" - includes the entire package - "package.rule" - includes the package containing the specified rule
Examples: - ["@security"] - includes packages with rules in the "security" collection - ["cve"] - includes the "cve" package - ["release.security_check"] - includes the "release" package (which contains the rule)
func (*IncludeListFilter) Include ¶ added in v0.7.127
func (f *IncludeListFilter) Include(pkg string, rules []rule.Info) bool
Include determines whether a package should be included based on the include list criteria.
The function checks if the package or any of its rules match the include criteria. If any rule in the package matches, the entire package is included.
type NamespaceFilter ¶ added in v0.7.127
type NamespaceFilter struct {
// contains filtered or unexported fields
}
NamespaceFilter applies multiple filters using AND logic.
This filter combines multiple RuleFilter instances and only includes packages that pass ALL filters. This allows for complex filtering scenarios where multiple criteria must be satisfied.
Example: Pipeline intention + Include list - Pipeline intention filter: only packages with matching pipeline_intention - Include list filter: only packages in the include list - Result: only packages that satisfy BOTH conditions
func NewNamespaceFilter ¶ added in v0.7.127
func NewNamespaceFilter(filters ...RuleFilter) *NamespaceFilter
func (*NamespaceFilter) Filter ¶ added in v0.7.127
func (nf *NamespaceFilter) Filter(rules policyRules) []string
Filter applies all filters to the given rules and returns the list of packages that pass all filter criteria.
The filtering process: 1. Groups rules by package (namespace) 2. For each package, applies all filters in sequence 3. Only includes packages that pass ALL filters (AND logic) 4. Returns the list of approved package names
This ensures that only the appropriate rules are evaluated based on the current configuration and context.
type Outcome ¶
type Outcome struct {
FileName string `json:"filename"`
Namespace string `json:"namespace"`
Successes []Result `json:"successes,omitempty"`
Skipped []Result `json:"skipped,omitempty"`
Warnings []Result `json:"warnings,omitempty"`
Failures []Result `json:"failures,omitempty"`
Exceptions []Result `json:"exceptions,omitempty"`
}
type PipelineIntentionFilter ¶ added in v0.7.127
type PipelineIntentionFilter struct {
// contains filtered or unexported fields
}
PipelineIntentionFilter filters packages based on pipeline_intention metadata.
This filter ensures that only rules appropriate for the current pipeline context are evaluated. It works by examining the pipeline_intention metadata in each rule and comparing it against the configured pipeline_intention values.
Behavior: - When targetIntentions is empty (no pipeline_intention configured):
- Only includes packages with rules that have NO pipeline_intention metadata
- This allows general-purpose rules to run in default contexts
- When targetIntentions is set (pipeline_intention configured):
- Only includes packages with rules that have MATCHING pipeline_intention metadata
- This ensures only pipeline-specific rules are evaluated
Examples: - Config: pipeline_intention: ["release"]
- Rule with pipeline_intention: ["release", "production"] → INCLUDED
- Rule with pipeline_intention: ["staging"] → EXCLUDED
- Rule with no pipeline_intention metadata → EXCLUDED
- Config: no pipeline_intention set
- Rule with pipeline_intention: ["release"] → EXCLUDED
- Rule with no pipeline_intention metadata → INCLUDED
func (*PipelineIntentionFilter) Include ¶ added in v0.7.127
func (f *PipelineIntentionFilter) Include(_ string, rules []rule.Info) bool
Include determines whether a package should be included based on pipeline_intention metadata.
The function examines all rules in the package to determine if any have appropriate pipeline_intention metadata for the current configuration.
type RuleFilter ¶ added in v0.7.127
RuleFilter decides whether an entire package (namespace) should be included in the evaluation set.
The filtering system works at the package level - if any rule in a package matches the filter criteria, the entire package is included for evaluation. This ensures that related rules within the same package are evaluated together.
func NewIncludeListFilter ¶ added in v0.7.127
func NewIncludeListFilter(entries []string) RuleFilter
func NewPipelineIntentionFilter ¶ added in v0.7.127
func NewPipelineIntentionFilter(target []string) RuleFilter
Source Files