Skip to content

Add redhat_security policy collection#1766

Open
st3penta wants to merge 1 commit into
conforma:mainfrom
st3penta:EC-1967
Open

Add redhat_security policy collection#1766
st3penta wants to merge 1 commit into
conforma:mainfrom
st3penta:EC-1967

Conversation

@st3penta

@st3penta st3penta commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Add a redhat_security collection containing the 124 release rules that map to
a ProdSec requirement. The mapping comes from the conforma-prodsec internal docs.

The existing redhat collection is unchanged. This is purely additive.

  • New collection definition at policy/release/collection/redhat_security/
  • 124 rules across 33 rego files get redhat_security in their collections: annotation
  • 5 rules that previously had no collections: field now have one
  • Updated maven_repos_test.rego assertions to match

20 non-release rules (pipeline, task, build_task, stepaction) and 2 builtin rules
are in the mapping but not tagged, since collections only apply to release rules.

Ref: EC-1967

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 27a1cdd6-73d9-41b9-8e13-b92e2aa681c0

📥 Commits

Reviewing files that changed from the base of the PR and between 2a58409 and 6a4acfa.

📒 Files selected for processing (66)
  • antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc
  • antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc
  • antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_cve.adoc
  • antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc
  • antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc
  • antora/docs/modules/ROOT/pages/packages/release_labels.adoc
  • antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc
  • antora/docs/modules/ROOT/pages/packages/release_olm.adoc
  • antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc
  • antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc
  • antora/docs/modules/ROOT/pages/packages/release_sbom.adoc
  • antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc
  • antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc
  • antora/docs/modules/ROOT/pages/packages/release_source_image.adoc
  • antora/docs/modules/ROOT/pages/packages/release_tasks.adoc
  • antora/docs/modules/ROOT/pages/packages/release_test.adoc
  • antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc
  • antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc
  • antora/docs/modules/ROOT/pages/release_policy.adoc
  • antora/docs/modules/ROOT/partials/release_policy_nav.adoc
  • policy/release/attestation_type/attestation_type.rego
  • policy/release/base_image_registries/base_image_registries.rego
  • policy/release/buildah_build_task/buildah_build_task.rego
  • policy/release/collection/redhat_security/redhat_security.rego
  • policy/release/cve/cve.rego
  • policy/release/external_parameters/external_parameters.rego
  • policy/release/git_branch/git_branch.rego
  • policy/release/github_certificate/github_certificate.rego
  • policy/release/hermetic_task/hermetic_task.rego
  • policy/release/labels/labels.rego
  • policy/release/maven_repos/maven_repos.rego
  • policy/release/maven_repos/maven_repos_test.rego
  • policy/release/olm/olm.rego
  • policy/release/pre_build_script_task/pre_build_script_task.rego
  • policy/release/prefetch_dependencies/prefetch_dependencies.rego
  • policy/release/provenance_materials/provenance_materials.rego
  • policy/release/rhtap_multi_ci/rhtap_multi_ci.rego
  • policy/release/rpm_build_deps/rpm_build_deps.rego
  • policy/release/rpm_ostree_task/rpm_ostree_task.rego
  • policy/release/rpm_pipeline/rpm_pipeline.rego
  • policy/release/rpm_repos/rpm_repos.rego
  • policy/release/rpm_signature/rpm_signature.rego
  • policy/release/sbom/sbom.rego
  • policy/release/sbom_cyclonedx/sbom_cyclonedx.rego
  • policy/release/sbom_spdx/sbom_spdx.rego
  • policy/release/slsa_build_build_service/slsa_build_build_service.rego
  • policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego
  • policy/release/slsa_provenance_available/slsa_provenance_available.rego
  • policy/release/slsa_source_correlated/slsa_source_correlated.rego
  • policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego
  • policy/release/source_image/source_image.rego
  • policy/release/tasks/tasks.rego
  • policy/release/test/test.rego
  • policy/release/test_attestation/test_attestation.rego
  • policy/release/trusted_task/trusted_task.rego
✅ Files skipped from review due to trivial changes (60)
  • antora/docs/modules/ROOT/pages/packages/release_slsa_provenance_available.adoc
  • antora/docs/modules/ROOT/pages/packages/release_maven_repos.adoc
  • antora/docs/modules/ROOT/pages/packages/release_base_image_registries.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_signature.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rhtap_multi_ci.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_repos.adoc
  • antora/docs/modules/ROOT/pages/packages/release_provenance_materials.adoc
  • antora/docs/modules/ROOT/pages/packages/release_rpm_ostree_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_source_image.adoc
  • antora/docs/modules/ROOT/pages/packages/release_buildah_build_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_source_version_controlled.adoc
  • antora/docs/modules/ROOT/pages/packages/release_pre_build_script_task.adoc
  • antora/docs/modules/ROOT/pages/packages/release_labels.adoc
  • antora/docs/modules/ROOT/pages/packages/release_prefetch_dependencies.adoc
  • policy/release/slsa_source_correlated/slsa_source_correlated.rego
  • antora/docs/modules/ROOT/pages/packages/release_slsa_source_correlated.adoc
  • antora/docs/modules/ROOT/pages/packages/release_slsa_build_build_service.adoc
  • policy/release/sbom/sbom.rego
  • antora/docs/modules/ROOT/pages/packages/release_slsa_build_scripted_build.adoc
  • antora/docs/modules/ROOT/partials/release_policy_nav.adoc
  • antora/docs/modules/ROOT/pages/packages/release_cve.adoc
  • antora/docs/modules/ROOT/pages/packages/release_external_parameters.adoc
  • antora/docs/modules/ROOT/pages/packages/release_test.adoc
  • policy/release/maven_repos/maven_repos.rego
  • antora/docs/modules/ROOT/pages/packages/release_attestation_type.adoc
  • policy/release/slsa_build_scripted_build/slsa_build_scripted_build.rego
  • antora/docs/modules/ROOT/pages/packages/release_test_attestation.adoc
  • antora/docs/modules/ROOT/pages/packages/release_github_certificate.adoc
  • policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego
  • antora/docs/modules/ROOT/pages/packages/release_sbom_spdx.adoc
  • policy/release/hermetic_task/hermetic_task.rego
  • policy/release/pre_build_script_task/pre_build_script_task.rego
  • antora/docs/modules/ROOT/pages/packages/release_sbom.adoc
  • policy/release/rpm_signature/rpm_signature.rego
  • policy/release/git_branch/git_branch.rego
  • policy/release/rpm_ostree_task/rpm_ostree_task.rego
  • antora/docs/modules/ROOT/pages/packages/release_trusted_task.adoc
  • policy/release/rpm_pipeline/rpm_pipeline.rego
  • policy/release/rpm_repos/rpm_repos.rego
  • antora/docs/modules/ROOT/pages/packages/release_tasks.adoc
  • antora/docs/modules/ROOT/pages/packages/release_olm.adoc
  • policy/release/test_attestation/test_attestation.rego
  • policy/release/labels/labels.rego
  • policy/release/test/test.rego
  • antora/docs/modules/ROOT/pages/packages/release_sbom_cyclonedx.adoc
  • policy/release/base_image_registries/base_image_registries.rego
  • policy/release/buildah_build_task/buildah_build_task.rego
  • policy/release/sbom_cyclonedx/sbom_cyclonedx.rego
  • policy/release/github_certificate/github_certificate.rego
  • policy/release/olm/olm.rego
  • policy/release/cve/cve.rego
  • policy/release/slsa_build_build_service/slsa_build_build_service.rego
  • policy/release/attestation_type/attestation_type.rego
  • policy/release/provenance_materials/provenance_materials.rego
  • policy/release/trusted_task/trusted_task.rego
  • policy/release/prefetch_dependencies/prefetch_dependencies.rego
  • policy/release/external_parameters/external_parameters.rego
  • policy/release/sbom_spdx/sbom_spdx.rego
  • policy/release/slsa_provenance_available/slsa_provenance_available.rego
  • policy/release/tasks/tasks.rego
🚧 Files skipped from review as they are similar to previous changes (5)
  • policy/release/collection/redhat_security/redhat_security.rego
  • policy/release/rhtap_multi_ci/rhtap_multi_ci.rego
  • policy/release/source_image/source_image.rego
  • policy/release/rpm_build_deps/rpm_build_deps.rego
  • policy/release/maven_repos/maven_repos_test.rego

📝 Walkthrough

Walkthrough

This PR adds redhat_security across release policy metadata, introduces the new collection.redhat_security module, updates related package docs, and expands release policy navigation and test expectations to reference the new collection.

Changes

Red Hat security collection rollout

Layer / File(s) Summary
Collection module and core policy metadata
policy/release/collection/redhat_security/redhat_security.rego, policy/release/attestation_type/..., policy/release/base_image_registries/..., policy/release/buildah_build_task/..., policy/release/cve/..., policy/release/external_parameters/..., policy/release/git_branch/..., policy/release/github_certificate/..., policy/release/hermetic_task/..., policy/release/labels/..., policy/release/maven_repos/..., policy/release/olm/..., policy/release/pre_build_script_task/..., policy/release/prefetch_dependencies/..., policy/release/provenance_materials/..., policy/release/rhtap_multi_ci/..., policy/release/rpm_build_deps/..., policy/release/rpm_ostree_task/..., policy/release/rpm_pipeline/..., policy/release/rpm_repos/..., policy/release/rpm_signature/...
Adds the new collection module and extends metadata collection lists or collection comments across the release policy modules.
SBOM, SLSA, source-image, tasks, and test policy metadata
policy/release/sbom/..., policy/release/sbom_cyclonedx/..., policy/release/sbom_spdx/..., policy/release/slsa_build_build_service/..., policy/release/slsa_build_scripted_build/..., policy/release/slsa_provenance_available/..., policy/release/slsa_source_correlated/..., policy/release/slsa_source_version_controlled/..., policy/release/source_image/..., policy/release/tasks/..., policy/release/test/..., policy/release/test_attestation/..., policy/release/trusted_task/..., policy/release/maven_repos_test.rego
Adds redhat_security to metadata collections and updates Maven repos deny expectations to include the new collection value.
Package documentation source links
antora/docs/modules/ROOT/pages/packages/release_*.adoc
Updates embedded source line references for the affected package documentation pages.
Release policy catalog
antora/docs/modules/ROOT/pages/release_policy.adoc, antora/docs/modules/ROOT/partials/release_policy_nav.adoc
Adds the new redhat_security ruleset entry and matching navigation xref.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly names the new redhat_security policy collection, which is the main change.
Description check ✅ Passed The description is directly about adding the new redhat_security collection and related rule tagging.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)


Comment @coderabbitai help to get the list of available commands.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:02 PM UTC · Completed 1:08 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review

Findings

Low

  • [Collections annotation ordering consistency] policy/release/attestation_type/attestation_type.rego (and 32 other rego files) — The redhat_security collection is appended at the end of each rule's collections list, which places it after non-redhat collections like slsa3 and policy_data in some rules. However, the existing codebase does not enforce a strict grouping convention for redhat-branded collections (e.g., slsa_provenance_available.rego already orders slsa3 before redhat), so appending at the end is a reasonable approach. No action required.
Previous run

Looks good to me

Previous run (2)

Looks good to me

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added the ready-for-merge All reviewers approved — ready to merge label Jul 3, 2026
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unit-tests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...icy/release/attestation_type/attestation_type.rego 100.00% <ø> (ø)
...e/base_image_registries/base_image_registries.rego 100.00% <ø> (ø)
...release/buildah_build_task/buildah_build_task.rego 100.00% <ø> (ø)
policy/release/cve/cve.rego 100.00% <ø> (ø)
...lease/external_parameters/external_parameters.rego 100.00% <ø> (ø)
policy/release/git_branch/git_branch.rego 100.00% <ø> (ø)
...release/github_certificate/github_certificate.rego 100.00% <ø> (ø)
policy/release/hermetic_task/hermetic_task.rego 100.00% <ø> (ø)
policy/release/labels/labels.rego 100.00% <ø> (ø)
policy/release/maven_repos/maven_repos.rego 100.00% <ø> (ø)
... and 24 more
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 1:15 PM UTC · Ended 1:20 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:23 PM UTC · Completed 1:28 PM UTC
Commit: 47d3320 · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 3, 2026
Create a new redhat_security collection containing all rego rules mapped
to a Red Hat ProdSec requirement. The mapping source is the
conforma-prodsec-mapping.json file from EC-1967.

124 release rules across 33 files get redhat_security added to their
collections annotation. Two additional dependency rules (cve_results_found
and pipeline_has_tasks) are included to satisfy the conventions-check
requirement that dependencies share the same collections.

This is additive. It does not modify or replace the existing redhat
collection.

Ref: https://redhat.atlassian.net/browse/EC-1967
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 1:39 PM UTC · Completed 1:53 PM UTC
Commit: 47d3320 · View workflow run →

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge size: XL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant