Add redhat_security policy collection#1766
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR adds ChangesRed Hat security collection rollout
Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
🤖 Finished Review · ✅ Success · Started 1:02 PM UTC · Completed 1:08 PM UTC |
ReviewVerdict: approve ✅ SummaryThis PR adds a new What was reviewed
Correctness
SecurityNo security concerns. The change adds a collection tag for organizational grouping. No authentication, authorization, data exposure, or privilege changes. Scope & intentThe PR is well-scoped: one new collection, annotation tagging, test updates, and doc regeneration. The reference to internal ProdSec documentation (EC-1967) provides traceability. The Labels: PR adds a new policy collection (redhat_security) — a new feature Previous runReviewFindingsLow
Previous run (2)Looks good to me Previous run (3)Looks good to me |
|
🤖 Review · |
|
🤖 Finished Review · ✅ Success · Started 1:23 PM UTC · Completed 1:28 PM UTC |
|
🤖 Finished Review · ✅ Success · Started 1:39 PM UTC · Completed 1:53 PM UTC |
|
Will the new collection appear right away in https://conforma.dev/docs/policy/release_policy.html#_available_rule_collections ? |
|
@simonbaird yes it will. i didn't see it as a problem, since we already have the |
|
/fs-fix rebase on top of main and resolve the conflicts |
|
oh fullsend doesn't run on forks...makes sense. I'll do it myself like in 2025 |
Create a new redhat_security collection containing all rego rules mapped to a Red Hat ProdSec requirement. The mapping source is the conforma-prodsec-mapping.json file from EC-1967. 124 release rules across 33 files get redhat_security added to their collections annotation. Two additional dependency rules (cve_results_found and pipeline_has_tasks) are included to satisfy the conventions-check requirement that dependencies share the same collections. This is additive. It does not modify or replace the existing redhat collection. Ref: https://redhat.atlassian.net/browse/EC-1967 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
🤖 Finished Review · ✅ Success · Started 2:14 PM UTC · Completed 2:20 PM UTC |
Acepresso
left a comment
There was a problem hiding this comment.
Do we have a test that covers the use of the new collection?
|
@Acepresso AFAIK we don't have tests that cover the specific collections. Were you thinking about something specifically? |
I was thinking of the most basic use case - when a policy includes the new collection, the rules are included and the exit code is 0. |
Add a
redhat_securitycollection containing the 124 release rules that map toa ProdSec requirement. The mapping comes from the conforma-prodsec internal docs.
The existing
redhatcollection is unchanged. This is purely additive.policy/release/collection/redhat_security/redhat_securityin theircollections:annotationcollections:field now have onemaven_repos_test.regoassertions to match20 non-release rules (pipeline, task, build_task, stepaction) and 2 builtin rules
are in the mapping but not tagged, since collections only apply to release rules.
Ref: EC-1967
Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com