Conversation
Phase A of the multi-provider refactor (#148): every legacy Go control is ported to Rego/OPA, a GitHub Actions provider sits next to the GitLab one, and the dev binary keeps the v0.2.x JSON contract intact for downstream consumers. Engine and IR (internal/engine/opa, internal/ir): - Provider-agnostic NormalizedPipeline with per-job Variables, Scripts + ScriptBlocks, Rules, Overridden + OverriddenKeys, OriginKind, plus per-pipeline GlobalVariables, Includes, Branches, Dependabot, Dockerfiles. - OPA engine emits Finding{Code, Severity, Message, Job, File, Line, Data}; custom MarshalJSON/UnmarshalJSON flatten Data into the legacy top-level shape; enrichFindings auto-stamps docUrl and falls File/Line back to the job header when the rule omits them. Catalog: - 19 GitLab controls (ISSUE-101/102/103/203/204/205/401/403/404/405/ 406/408/409/410/411/412/413/501/505) ported with the v0.2.19 issue payload (link, tag, variableName, value, location, scriptLine, scriptBlock, branchName, type, detail, ...). - 23 GitHub Actions controls (ISSUE-104/106/107/108/109/110/111/112/ 113/114/115/213/214/215/304/305/306/307/308/309/414/415/601/602/ 605/607/608/609/610) covering action pinning, advisory database lookups, repository hygiene, dangerous triggers, secret routing and supply-chain markers. - GitHub-only rules gate on input.pipeline.provider == "github" so they never fire on GitLab pipelines. Scoring (scoring-v2): - Profile id bumped from scoring-v1 to scoring-v2. - Weights: Critical 30->25, High 30->20, Medium 10->8, Low 5->3. Caps: High 100->60, Medium 30->20, Low 15->10. - Loss formula: w * (1 + 0.5*log2(n)) (dampened so repeats taper off after the first occurrence). - Twelve issue codes rescaled to a less punitive tier now that the curve already captures accumulation. CLI / output: - --gitlab-url / --project win over .git/config auto-detection so cross-provider scripted runs work from any clone. - compliance short-circuits to 0 when ciValid=false or ciMissing=true (an empty findings list under those conditions is evidence of a failed analysis, not of compliance). - Action-level findings point at the exact uses: line via Action.Line, not at the enclosing job header. - Dockerfile parser resolves ARG defaults so FROM golang:${GOLANG_IMAGE_TAG} with ARG GOLANG_IMAGE_TAG=...@sha256: is recognised as digest-pinned. - latestReleaseTag walks /releases and picks the highest semver, rejecting compatibility-bridge prerelease suffixes (v3.1.0-node20) and internal bundle tags (codeql-bundle-v2.25.2). - advisoriesForRef filters GHSA hits by vulnerable_version_range so a SHA pinned to a patched version no longer trips ISSUE-114. - /advisories URLs inlined in ISSUE-114 messages so terminals render clickable links. Legacy JSON output preservation: - Per-control *Result blocks (imageForbiddenTagsResult, hardcodedJobsResult, branchProtectionResult, ...) reconstructed at write time from the IR + Rego findings, restoring the issues / metrics / compliance triplet downstream consumers parsed. - Per-issue structured payload preserved (link, tag, status, variableName, value, location, serviceImage, detail, scriptBlock, branchName, type, originHash, ...). - Per-control aggregated stats (Total Images / Pinned By Digest / Authorized / Branches to Protect / Variables Checked / Script Lines Checked / DinD Services Found / Security Jobs Found / Requirement Groups ...) computed from the IR and printed alongside the findings list. - requirementGroups DNF breakdown (groupIndex, requiredOrigins, foundOrigins, missingOrigins, overriddenOrigins, isFullySatisfied) reproduced for requiredComponentsResult / requiredTemplatesResult. Validated against the four getplumber/examples/go-* projects (iso), Bob74/lab-gitlab-ci-security, gitlab-org/cli, meltano/meltano, plus the plumber-src self-scan. JSON *Result blocks are 48/56 byte-iso with v0.2.19; the 8 residual diffs are issue-array ordering on three controls where the v0.2.x order came from non-deterministic Go map iteration (content sorted is identical). make build, make test, make lint, govulncheck ./... all green. Refs #148
Joseph94m
requested review from
Totara-thib,
coconux3 and
thomasboni
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.