Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conftest does not support returning details of a PASS conftest output #844

Open
ssodhi-intuit opened this issue Jul 14, 2023 · 5 comments
Open
Labels
question Further information is requested

Comments

@ssodhi-intuit
Copy link

We are using conftest evaluator for evaluating infrastructure code against some set of rules. From auditing standpoint it would be useful to not only display violations but also display which resource is passing the set of rules.

Is there any guidance on how it can be supported in conftest out of the box, if not is there guidance for library consumer on how to do above mentioned without having to explicitly write another rule for non violation?

@jalseth jalseth added the question Further information is requested label Jul 15, 2023
@jalseth
Copy link
Member

jalseth commented Jul 15, 2023

Edit: Apologies I misread the question, my previous comment wasn't relevant.

Showing the "successes" without additional rules isn't possible. Rego is a query language, so the only thing Conftest gets back from the OPA engine are the matches for the deny rules. You may also want to read #731 (comment) for related (slightly different request) previous discussion on this.

@ssodhi-intuit
Copy link
Author

ssodhi-intuit commented Jul 17, 2023

Appreciate your input. We are also looking into other open source tools, and found that regula is solving this problem by implementing a wrapper rego code that evaluates the object and populates PASS in addition to any FAILURE.
Reference:

  1. Regula github
  2. Wrapper code

Wondering if this is something you can support as well?

@boranx
Copy link
Member

boranx commented Jul 20, 2023

here are my 2 cents:
We could do that as an extra step when the query is evaluated: https://github.com/open-policy-agent/conftest/blob/master/policy/engine.go#L444
If we compare the input with resultSet, and get a diff to see what tests are not evaluated(passing- aka nomatch), then we'd be able to check their locations as well
However, this would be an overhead as it wouldn't have any effect on the outcome(query evaluation) besides pretty printing of the success scenarios

@apratinav-intuit
Copy link

@jalseth @boranx Thanks for your input.

We did some more study and wanted to check if you see any issues in supporting Allow rule in Conftest? Right now, we do see Conftest has support for Violation/Warn/Deny rules. Having support for Allow rule would give control back to policy author and write more rules that would let them show non-violating (or compliant) resources. Of course this would mean some additional changes in the code like adding support for allow rule, the way success count is populated, display allowed resource details in different conftest supported format (like json.. so on) etc.

We wanted to hear your thoughts and check that you would be open to taking that as PR contribution to this repo.

Looking forward to hearing from you.

Thanks
Akshay

@boranx
Copy link
Member

boranx commented Aug 14, 2023

do you think would #584 help to address the need or you think "allow" would need to be introduced anyway?
I'd like to loop @jpreese too as he might have better insights overall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

4 participants