chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard

Published 20 hours ago verified publisher icon chainloop-dev

feat: add skip field to policy group attachments

Open migmartri opened this issue 3 weeks ago • 0 comments

Summary

Add support for explicitly disabling specific policies within a policy group by specifying their metadata names in a skip list.

Users can now selectively exclude policies from evaluation without modifying the policy group itself by adding a skip field to policy group attachments in workflow contracts.

Implementation

  • Added skip field to PolicyGroupAttachment protobuf message
  • Implemented policy name resolution for both embedded and referenced policies
  • Filtered skipped policies in material and attestation evaluation paths
  • Added validation with warnings for non-existent policy names
  • Comprehensive test coverage for all skip scenarios

Usage

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: example-contract
spec:
  policyGroups:
    - ref: file://groups/sbom-quality-group.yaml
      with:
        bannedComponents: [email protected]
      skip:
        - sbom-present
        - my-other-policy

Behavior

  • Policies are matched by their metadata.name field
  • Works for both material and attestation policies
  • Unknown policy names in skip list generate warnings but allow execution to continue
  • Empty skip list has no effect on evaluation

Closes #2557

migmartri avatar Nov 18 '25 18:11 migmartri