Skip to content

fix: adds mapping to /comply:pack-assessment#133

Open
hbraswelrh wants to merge 5 commits into
complytime:mainfrom
hbraswelrh:fix/pack-assessment-mappings
Open

fix: adds mapping to /comply:pack-assessment#133
hbraswelrh wants to merge 5 commits into
complytime:mainfrom
hbraswelrh:fix/pack-assessment-mappings

Conversation

@hbraswelrh

@hbraswelrh hbraswelrh commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

Adds a new Step 8 to the /comply:pack-assessment skill that generates provider-specific mapping files after writing policy files to disk. Supports OPA and AMPEL for mapping rego namespaces to requirement_ids and granular policies to requirement_ids. Checklist item added to verify mapping file generation.

Related Issues

Review Hints

  • Run /comply:pack-assessment with evaluator-id: opa and verify compliance-mapping.json is generated with correct Rego package-to-requirement mappings
  • Run /comply:pack-assessment with evaluator-id: ampel and verify granular policy files and complytime-ampel-policy.json bundle are generated
  • Confirm existing policy generation steps (1–7) are unaffected

Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
@hbraswelrh hbraswelrh force-pushed the fix/pack-assessment-mappings branch from d656ccd to efcc853 Compare July 10, 2026 18:08
@hbraswelrh hbraswelrh requested a review from jpower432 July 10, 2026 18:08

1. List all `.rego` files in the policy directory
2. For each file, extract the `package` declaration (e.g., `package kubernetes.tls_version`)
3. Match each package namespace to its corresponding `requirement-id` from the Policy's `adherence.assessment-plans`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it the requirement-id or the plan-id?

@hbraswelrh hbraswelrh Jul 10, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the requirement_id for the rego namespace. Here's complytime-providers documentation for reference. The gemara Policy assessment-plans.requirement-id doesn't include the plan-* prefix

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing this PR and going to push a bundle. I will share it with you

@jpower432 jpower432 marked this pull request as ready for review July 13, 2026 13:09
@jpower432 jpower432 requested a review from a team as a code owner July 13, 2026 13:09
@jpower432 jpower432 requested review from gvauter and sonupreetam and removed request for a team July 13, 2026 13:09

@gvauter gvauter left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] OPA mapping filename mismatch — compliance-mapping.json should be complytime-mapping.json

The OPA provider expects complytime-mapping.json (defined as a constant at complytime-providers/cmd/opa-provider/generate/mapping.go:22):

MappingFileName = "complytime-mapping.json"

The PR uses compliance-mapping.json in 4 locations, which would cause the same LoadMapping() file-not-found error reported in #132.

The issue #132 description text uses compliance-mapping.json, but the embedded error output and the provider source code both use complytime-mapping.json. The PR followed the description rather than the source of truth.

This review was generated by /review-pr (AI-assisted).

Comment thread skills/pack-assessment/SKILL.md Outdated
Comment thread skills/pack-assessment/SKILL.md Outdated
Comment thread skills/pack-assessment/SKILL.md Outdated
Comment thread skills/pack-assessment/SKILL.md Outdated
sonupreetam and others added 4 commits July 13, 2026 16:55
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
Co-authored-by: George V <gvauter@redhat.com>
@gvauter gvauter self-requested a review July 13, 2026 15:46

@gvauter gvauter left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

description: Use when user mentions Rego, Conftest, OPA, AMPEL, "generate policy", or "assessment logic" in the context of Gemara catalogs. Generates policies from Gemara Control Catalogs for Kubernetes (Deployments, Pods, DaemonSets, StatefulSets, CronJobs, Jobs, Services, NetworkPolicies, Ingress, RBAC, ConfigMaps, Secrets), CI/CD pipelines (GitHub Actions, GitLab CI, Azure Pipelines), Conftest, OPA, or AMPEL
---

# /comply:pack-assessment — Rego Policy Generation and Assessment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# /comply:pack-assessment — Rego Policy Generation and Assessment
# /comply:pack-assessment — Rego/AMPEL Policy Generation and Assessment

Since the skill now covers AMPEL, these should be generalized.

| 6. Generate policy | Write Rego against schema contract | .rego file |
| 7. Write to disk | Save to `policy/` | File on disk |
| 8. Validate | Contract check then test | Pass/fail results |
| 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or `complytime-ampel-policy.json` (Ampel) |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or `complytime-ampel-policy.json` (Ampel) |
| 8. Generate provider mapping | Create provider-specific mapping file | `complytime-mapping.json` (OPA) or granular policy files (AMPEL) |

Comment on lines +94 to +96
### Ampel provider (`evaluator-id: ampel`) — granular policy files + `complytime-ampel-policy.json`

Generate one JSON file per assessment requirement (granular policy), then merge them into a single `complytime-ampel-policy.json` bundle.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Ampel provider (`evaluator-id: ampel`) — granular policy files + `complytime-ampel-policy.json`
Generate one JSON file per assessment requirement (granular policy), then merge them into a single `complytime-ampel-policy.json` bundle.
### AMPEL provider (`evaluator-id: ampel`) — granular policy files
Generate one JSON file per assessment requirement (granular policy). Each file's `id` field must match the Gemara `requirement-id` from `adherence.assessment-plans` — this is how the AMPEL provider matches policies to requirements (no separate mapping file is needed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

compliance-mapping.json missing from /comply:pack-assessment skill

4 participants