feat: extend devcontainer to include OPA provider test content#540
Open
hbraswelrh wants to merge 7 commits into
Open
feat: extend devcontainer to include OPA provider test content#540hbraswelrh wants to merge 7 commits into
hbraswelrh wants to merge 7 commits into
Conversation
hbraswelrh
force-pushed
the
opsx/opa-devcontainer-content
branch
from
b5f6f44 to
e5b7460
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
This was referenced Jun 3, 2026
gvauter
previously approved these changes
Jun 3, 2026
Member
gvauter
left a comment
gvauter
left a comment
There was a problem hiding this comment.
LGTM — clean PR with complete spec artifacts, appropriate test coverage, all CI green, and no security or constitutional concerns. Independently mergeable ahead of the companion provider PR.
This review was generated by /review-pr (AI-assisted).
Add spec artifacts for extending the devcontainer environment to include testable OPA provider content (issue complytime#535). Covers embedded OPA Gemara testdata, complypack artifact seeding, and workspace configuration for end-to-end get -> generate -> scan testing with the OPA provider. Depends-on: complytime#536 (complypack pull support) Closes: complytime#535
Add OPA Gemara testdata, Rego policies, and workspace config for end-to-end OPA provider testing in the devcontainer. Mock registry: - test-opa-catalog.yaml: container security controls (run-as- nonroot, resource-limits) with OPA-evaluable requirements - test-opa-policy.yaml: policy with executor.id: opa and two assessment plans - seedDefaults() seeds policies/test-opa-policy alongside the existing Ampel policy OPA complypack content (for PR complytime#536 integration): - run_as_nonroot.rego: checks securityContext.runAsNonRoot - resource_limits.rego: checks container resource limits - complytime-mapping.json: maps requirement IDs to Rego namespaces Workspace: - complytime.yaml: test-opa-bp policy-id + test-k8s-deployment target with input variable - test-deployment.yaml: sample K8s deployment for OPA evaluation - post-create.sh: copies test deployment input to workspace Complypack tasks (2.3, 2.4, 3.2) are blocked on PR complytime#536 which adds addComplypackArtifact() and complypacks: config schema. Closes: complytime#535
Add OPA complypack seeding now that PR complytime#536 has merged: - Embed testdata/opa-complypack/ files (Rego + mapping) via go:embed directive - Add buildTarGzFromFS() to create multi-file tar.gz from embedded filesystem at startup - Seed complypacks/test-opa-complypack with evaluator-id: opa via addComplypackArtifact() in seedDefaults() - Add complypacks entry to complytime.yaml pointing at localhost:8765/complypacks/test-opa-complypack
Move the OPA test deployment YAML from committed testdata to inline generation in post-create.sh. Shipping a Kubernetes Deployment manifest in the repo triggers GitHub Advanced Security (Trivy) false positives for missing security fields. The post-create script now generates test-deployment.yaml directly in the test workspace at container setup time.
Add metadata.applicability-groups with k8s-deployments entry and reference it from assessment-requirement applicability fields. The CUE schema requires applicability-groups when controls are defined, and applicability values must reference valid applicability-group IDs. Also reorder fields to match the canonical layout (metadata before groups before controls).
- Add CHANGELOG.md entry for OPA devcontainer content - Add conftest to Binaries table in TESTING_ENVIRONMENT.md - Replace string concatenation with path.Join in buildTarGzFromFS (convention SC-003 compliance for embed.FS paths) - Add unit tests: buildTarGzFromFS, buildDummyTarGz, seedDefaults repository verification (4 tests, all passing)
The OPA provider's MappingEntry struct uses JSON tags 'id' (Rego namespace) and 'requirement_id' (underscore). The testdata had 'requirement-id' (hyphen) and 'namespace', which unmarshal as empty strings and fail validation. Also add the 'version' field expected by MappingFile.
hbraswelrh
force-pushed
the
opsx/opa-devcontainer-content
branch
from
7a7151f to
fce72a6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add OPA provider test content to the devcontainer environment,
enabling end-to-end
get->generate->scantesting withthe OPA provider alongside the existing Ampel workflow.
Codespace Testing
complyctl listoncecomplyctl getcomplyctl generateis still looking for the target variable for theopa_bundle_refwhich will be addressed in a separate PR.Related Issues
Closes #539
complytime-providersrepo to address theopa_bundle_refrequirement that needs to be bypassed by the complypak configuration.Dependencies
complypacks:config schema,addComplypackArtifact()inthe mock registry, and
ComplypackContentPathproto fieldupdate to consume
ComplypackContentPathas an alternativeto
opa_bundle_ref+conftest pullImplementation begins after PR #536 merges. The complyctl-side
changes (testdata + config) are independently mergeable — they
are inert until the provider supports
ComplypackContentPath.Planned Changes
cmd/mock-oci-registry/testdata/executor.id: opacmd/mock-oci-registry/main.goseedDefaults()tests/cross-repo/testdata/complytime.yaml.devcontainer/scripts/post-create.shdocs/TESTING_ENVIRONMENT.mdEnd-to-End Flow
OpenSpec Artifacts
Spec artifacts at
openspec/changes/opa-devcontainer-content/(proposal, design, specs/opa-test-content, tasks).