⭐️ add annotations support for scanned assets#1379
Merged
chris-rock merged 5 commits intomainfrom Feb 9, 2026
Merged
Conversation
Contributor
Member
Author
|
Also fixes #465 |
chris-rock
force-pushed
the
add-annotations-to-scanned-assets
branch
from
99bf72f to
072c03e
Compare
Add the ability to define custom annotations in MondooAuditConfig that get attached to all scanned assets. This allows users to tag their assets with key-value pairs for better searchability and filtering in the Mondoo Console. The annotations are passed to cnspec via: - Inventory file annotations for K8s resources, nodes, and container scans - Command-line --annotation flags for the resource watcher Closes #955 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sort annotation map keys before building CLI args to prevent spurious Kubernetes Deployment updates caused by Go's randomized map iteration. Add tests for annotation propagation across all scan controllers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Extract duplicated annotation CLI arg building into pkg/annotations.AnnotationArgs() - Add annotations.Validate() to reject empty keys, keys containing '=', and empty values - Call validation in the reconciler and resource-watcher CLI entrypoint - Strengthen test assertions to unmarshal inventory YAML and check asset annotations directly Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ions Instead of returning an error (which causes infinite requeue with backoff), set MondooOperatorDegraded condition so users can see the problem via kubectl describe. The condition is cleared when annotations become valid. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
Author
Future improvement: annotation validation should not skip full reconciliationWhen annotations fail validation, the controller currently does A future improvement would be to continue reconciliation with |
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
chris-rock
force-pushed
the
add-annotations-to-scanned-assets
branch
from
04a3430 to
675d6b0
Compare
chris-rock
commented
Feb 9, 2026
|
|
||
| // AnnotationArgs converts a map of annotations into sorted CLI arguments | ||
| // suitable for passing to cnspec via --annotation key=value flags. | ||
| func AnnotationArgs(annotations map[string]string) []string { |
Member
Author
There was a problem hiding this comment.
In the future we may want to switch to inventory files for every scan job. That would make it more straight forward to support additional features.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
annotationsfield toMondooAuditConfigSpecto allow users to define custom key-value pairsUsage Example
Implementation
Annotations are passed to cnspec via:
Asset.AddAnnotations())--annotation key=value)Test plan
make lintpassesmake testpassesCloses #955
🤖 Generated with Claude Code