Conftest does not support returning details of a PASS conftest output #844
Comments
|
Edit: Apologies I misread the question, my previous comment wasn't relevant. Showing the "successes" without additional rules isn't possible. Rego is a query language, so the only thing Conftest gets back from the OPA engine are the matches for the |
|
Appreciate your input. We are also looking into other open source tools, and found that regula is solving this problem by implementing a wrapper rego code that evaluates the object and populates PASS in addition to any FAILURE. Wondering if this is something you can support as well? |
|
here are my 2 cents: |
|
@jalseth @boranx Thanks for your input. We did some more study and wanted to check if you see any issues in supporting Allow rule in Conftest? Right now, we do see Conftest has support for Violation/Warn/Deny rules. Having support for Allow rule would give control back to policy author and write more rules that would let them show non-violating (or compliant) resources. Of course this would mean some additional changes in the code like adding support for allow rule, the way success count is populated, display allowed resource details in different conftest supported format (like json.. so on) etc. We wanted to hear your thoughts and check that you would be open to taking that as PR contribution to this repo. Looking forward to hearing from you. Thanks |
We are using conftest evaluator for evaluating infrastructure code against some set of rules. From auditing standpoint it would be useful to not only display violations but also display which resource is passing the set of rules.
Is there any guidance on how it can be supported in conftest out of the box, if not is there guidance for library consumer on how to do above mentioned without having to explicitly write another rule for non violation?
The text was updated successfully, but these errors were encountered: