Skip to content

Add redhat_security policy collection#1766

Open
st3penta wants to merge 1 commit into
conforma:mainfrom
st3penta:EC-1967
Open

Add redhat_security policy collection#1766
st3penta wants to merge 1 commit into
conforma:mainfrom
st3penta:EC-1967

Conversation

@st3penta

@st3penta st3penta commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Add a redhat_security collection containing the 124 release rules that map to
a ProdSec requirement. The mapping comes from the conforma-prodsec internal docs.

The existing redhat collection is unchanged. This is purely additive.

  • New collection definition at policy/release/collection/redhat_security/
  • 124 rules across 33 rego files get redhat_security in their collections: annotation
  • 5 rules that previously had no collections: field now have one
  • Updated maven_repos_test.rego assertions to match

20 non-release rules (pipeline, task, build_task, stepaction) and 2 builtin rules
are in the mapping but not tagged, since collections only apply to release rules.

Ref: EC-1967

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds redhat_security across release policy metadata, introduces the new collection.redhat_security module, updates related package docs, and expands release policy navigation and test expectations to reference the new collection.

Changes

Red Hat security collection rollout

Layer / File(s) Summary
Collection module and core policy metadata
policy/release/collection/redhat_security/redhat_security.rego, policy/release/attestation_type/..., policy/release/base_image_registries/..., policy/release/buildah_build_task/..., policy/release/cve/..., policy/release/external_parameters/..., policy/release/git_branch/..., policy/release/github_certificate/..., policy/release/hermetic_task/..., policy/release/labels/..., policy/release/maven_repos/..., policy/release/olm/..., policy/release/pre_build_script_task/..., policy/release/prefetch_dependencies/..., policy/release/provenance_materials/..., policy/release/rhtap_multi_ci/..., policy/release/rpm_build_deps/..., policy/release/rpm_ostree_task/..., policy/release/rpm_pipeline/..., policy/release/rpm_repos/..., policy/release/rpm_signature/...
Adds the new collection module and extends metadata collection lists or collection comments across the release policy modules.
SBOM, SLSA, source-image, tasks, and test policy metadata
policy/release/sbom/..., policy/release/sbom_cyclonedx/..., policy/release/sbom_spdx/..., policy/release/slsa_build_build_service/..., policy/release/slsa_build_scripted_build/..., policy/release/slsa_provenance_available/..., policy/release/slsa_source_correlated/..., policy/release/slsa_source_version_controlled/..., policy/release/source_image/..., policy/release/tasks/..., policy/release/test/..., policy/release/test_attestation/..., policy/release/trusted_task/..., policy/release/maven_repos_test.rego
Adds redhat_security to metadata collections and updates Maven repos deny expectations to include the new collection value.
Package documentation source links
antora/docs/modules/ROOT/pages/packages/release_*.adoc
Updates embedded source line references for the affected package documentation pages.
Release policy catalog
antora/docs/modules/ROOT/pages/release_policy.adoc, antora/docs/modules/ROOT/partials/release_policy_nav.adoc
Adds the new redhat_security ruleset entry and matching navigation xref.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the new redhat_security policy collection, which is the main change.
Description check ✅ Passed The description is directly about adding the new redhat_security collection and related rule tagging.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:02 PM UTC · Completed 1:08 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review

Verdict: approve

Summary

This PR adds a new redhat_security policy collection containing 124 release rules mapped to Red Hat ProdSec requirements. The change is purely additive — the existing redhat collection and all rule logic are unchanged.

What was reviewed

  • New collection definition (policy/release/collection/redhat_security/redhat_security.rego) — follows the exact same pattern as all 8 existing collections (package declaration + METADATA title/description + import rego.v1). ✅

  • 33 .rego file annotation updates — each adds - redhat_security to the collections: list in the rule's METADATA comment block. Mechanical, consistent, and correct. ✅

  • 5 previously-uncollected rules now have a collections: field for the first time:

    • external_parameters.pipeline_run_params
    • external_parameters.restrict_shared_volumes
    • sbom_spdx.contains_packages
    • sbom_spdx.contains_files
    • sbom_spdx.matches_image

    These rules existed without collection annotations — the PR adds them to redhat_security only. No other collection membership is affected. ✅

  • Test updates (maven_repos_test.rego) — all assertion sets correctly updated to include "redhat_security" in expected collections arrays. Every modified assertion was verified against the corresponding annotation change. ✅

  • Generated documentation — Antora .adoc files show expected line-number shifts from the added annotation lines, and release_policy.adoc includes the full 124-rule listing for the new collection in the correct alphabetical position. Nav partial updated. Consistent with make generate-docs output. ✅

Correctness

  • No rule logic is modified — only METADATA comment annotations change.
  • The collection definition file contains no executable rules, matching all existing collections.
  • The redhat collection is truly unchanged: no annotation in the diff removes or reorders existing collection membership.
  • The PR description claims 124 rules across 33 rego files — verified against the diff (66 changed files = 33 rego + 33 adoc counterparts).

Security

No security concerns. The change adds a collection tag for organizational grouping. No authentication, authorization, data exposure, or privilege changes.

Scope & intent

The PR is well-scoped: one new collection, annotation tagging, test updates, and doc regeneration. The reference to internal ProdSec documentation (EC-1967) provides traceability. The Co-Authored-By: Claude Opus 4.6 attribution is transparent about AI assistance.


Labels: PR adds a new policy collection (redhat_security) — a new feature

Previous run

Review

Findings

Low

  • [Collections annotation ordering consistency] policy/release/attestation_type/attestation_type.rego (and 32 other rego files) — The redhat_security collection is appended at the end of each rule's collections list, which places it after non-redhat collections like slsa3 and policy_data in some rules. However, the existing codebase does not enforce a strict grouping convention for redhat-branded collections (e.g., slsa_provenance_available.rego already orders slsa3 before redhat), so appending at the end is a reasonable approach. No action required.
Previous run (2)

Looks good to me

Previous run (3)

Looks good to me

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jul 3, 2026
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unit-tests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...icy/release/attestation_type/attestation_type.rego 100.00% <ø> (ø)
...e/base_image_registries/base_image_registries.rego 100.00% <ø> (ø)
...release/buildah_build_task/buildah_build_task.rego 100.00% <ø> (ø)
policy/release/cve/cve.rego 100.00% <ø> (ø)
...lease/external_parameters/external_parameters.rego 100.00% <ø> (ø)
policy/release/git_branch/git_branch.rego 100.00% <ø> (ø)
...release/github_certificate/github_certificate.rego 100.00% <ø> (ø)
policy/release/hermetic_task/hermetic_task.rego 100.00% <ø> (ø)
policy/release/labels/labels.rego 100.00% <ø> (ø)
policy/release/maven_repos/maven_repos.rego 100.00% <ø> (ø)
... and 24 more
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 1:15 PM UTC · Ended 1:20 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:23 PM UTC · Completed 1:28 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 3, 2026
@github-actions github-actions Bot added size: XL and removed size: L labels Jul 3, 2026
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:39 PM UTC · Completed 1:53 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 3, 2026
simonbaird
simonbaird previously approved these changes Jul 8, 2026

@simonbaird simonbaird left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm.

@simonbaird

Copy link
Copy Markdown
Member

Will the new collection appear right away in https://conforma.dev/docs/policy/release_policy.html#_available_rule_collections ?

@st3penta

Copy link
Copy Markdown
Contributor Author

@simonbaird yes it will. i didn't see it as a problem, since we already have the redhat collection, but we can discuss about possible alternatives if you don't like that

@st3penta

Copy link
Copy Markdown
Contributor Author

/fs-fix rebase on top of main and resolve the conflicts

@st3penta

Copy link
Copy Markdown
Contributor Author

oh fullsend doesn't run on forks...makes sense. I'll do it myself like in 2025

Create a new redhat_security collection containing all rego rules mapped
to a Red Hat ProdSec requirement. The mapping source is the
conforma-prodsec-mapping.json file from EC-1967.

124 release rules across 33 files get redhat_security added to their
collections annotation. Two additional dependency rules (cve_results_found
and pipeline_has_tasks) are included to satisfy the conventions-check
requirement that dependencies share the same collections.

This is additive. It does not modify or replace the existing redhat
collection.

Ref: https://redhat.atlassian.net/browse/EC-1967
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 2:14 PM UTC · Completed 2:20 PM UTC
Commit: 87c4a29 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge feature and removed ready-for-merge All reviewers approved — ready to merge labels Jul 10, 2026

@Acepresso Acepresso left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a test that covers the use of the new collection?

@st3penta

Copy link
Copy Markdown
Contributor Author

@Acepresso AFAIK we don't have tests that cover the specific collections.
We have a validation that ensures that rules tagged with depends_on and their dependencies are both included in a collection, but that's it.
No new rules were added in this case, it's just a "metadata" change.

Were you thinking about something specifically?

@Acepresso

Copy link
Copy Markdown
Contributor

@Acepresso AFAIK we don't have tests that cover the specific collections. We have a validation that ensures that rules tagged with depends_on and their dependencies are both included in a collection, but that's it. No new rules were added in this case, it's just a "metadata" change.

Were you thinking about something specifically?

I was thinking of the most basic use case - when a policy includes the new collection, the rules are included and the exit code is 0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature ready-for-merge All reviewers approved — ready to merge size: XL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants