Skip to content

feat(policies): lenient structured finding validation at runtime#2967

Open
migmartri wants to merge 1 commit intochainloop-dev:mainfrom
migmartri:worktree-agile-wibbling-eagle
Open

feat(policies): lenient structured finding validation at runtime#2967
migmartri wants to merge 1 commit intochainloop-dev:mainfrom
migmartri:worktree-agile-wibbling-eagle

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented Mar 30, 2026

Summary

  • Add WithLenientFindingValidation() option to PolicyVerifier that makes structured finding validation errors non-fatal at runtime
  • When validation fails in lenient mode, violations are preserved as plain strings with FindingDegraded=true and a warning instead of failing the entire evaluation
  • Runtime crafter uses lenient mode; CLI policy develop eval keeps strict validation for fast feedback during policy authoring
  • Add finding_degraded boolean field to the Violation proto message so downstream consumers can distinguish intentionally unstructured violations from degraded ones

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 8 files

@migmartri
feat(policies): lenient structured finding validation at runtime
aeccc43 
Make structured finding validation errors non-fatal during attestation
crafting while keeping strict validation in policy development mode.

When a policy returns malformed structured data at runtime, the violation
is preserved as a plain string with FindingDegraded=true and a warning,
instead of failing the entire evaluation.

Add WithLenientFindingValidation() option to PolicyVerifier using the
existing functional options pattern. The CLI policydevel path keeps strict
validation (default) for fast feedback during policy authoring.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the worktree-agile-wibbling-eagle branch from c66211c to aeccc43 Compare March 30, 2026 20:55
jiparis
jiparis approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jiparis jiparis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving, but it's not clear to me what's the use case for those warnings. Are they shown or included in the attestation somehow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jiparis jiparis jiparis approved these changes

@matiasinsaurralde matiasinsaurralde Awaiting requested review from matiasinsaurralde

@Piskoo Piskoo Awaiting requested review from Piskoo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @jiparis