refactor(misconf): Deprecate EXCEPTIONS for misconfiguration scanning (#7776)

Signed-off-by: Simar <simar@linux.com>
2025-12-12 15:50:15 -08:00 · 2024-10-29 16:29:42 -06:00
parent c434775923
commit c70b6fa166
51 changed files with 430 additions and 865 deletions
--- a/pkg/iac/rego/scanner_test.go
+++ b/pkg/iac/rego/scanner_test.go
@@ -166,168 +166,6 @@ deny {
 	assert.Equal(t, "/evil.lol", results.GetPassed()[0].Metadata().Range().GetFilename())
 }

-func Test_RegoScanning_Namespace_Exception(t *testing.T) {
-
-	srcFS := CreateFS(t, map[string]string{
-		"policies/test.rego": `
-package defsec.test
-
-deny {
-    input.evil
-}
-`,
-		"policies/exceptions.rego": `
-package namespace.exceptions
-
-import data.namespaces
-
-exception[ns] {
-    ns := data.namespaces[_]
-    startswith(ns, "defsec")
-}
-`,
-	})
-
-	scanner := rego.NewScanner(
-		types.SourceJSON,
-		rego.WithPolicyDirs("policies"),
-	)
-	require.NoError(t, scanner.LoadPolicies(srcFS))
-
-	results, err := scanner.ScanInput(context.TODO(), rego.Input{
-		Path: "/evil.lol",
-		Contents: map[string]any{
-			"evil": true,
-		},
-	})
-	require.NoError(t, err)
-
-	assert.Empty(t, results.GetFailed())
-	assert.Empty(t, results.GetPassed())
-	assert.Len(t, results.GetIgnored(), 1)
-
-}
-
-func Test_RegoScanning_Namespace_Exception_WithoutMatch(t *testing.T) {
-
-	srcFS := CreateFS(t, map[string]string{
-		"policies/test.rego": `
-package defsec.test
-
-deny {
-    input.evil
-}
-`, "policies/something.rego": `
-package builtin.test
-
-deny_something {
-    input.something
-}
-`,
-		"policies/exceptions.rego": `
-package namespace.exceptions
-
-import data.namespaces
-
-exception[ns] {
-    ns := data.namespaces[_]
-    startswith(ns, "builtin")
-}
-`,
-	})
-
-	scanner := rego.NewScanner(
-		types.SourceJSON,
-		rego.WithPolicyDirs("policies"),
-	)
-	require.NoError(t, scanner.LoadPolicies(srcFS))
-
-	results, err := scanner.ScanInput(context.TODO(), rego.Input{
-		Path: "/evil.lol",
-		Contents: map[string]any{
-			"evil": true,
-		},
-	})
-	require.NoError(t, err)
-
-	assert.Len(t, results.GetFailed(), 1)
-	assert.Empty(t, results.GetPassed())
-	assert.Len(t, results.GetIgnored(), 1)
-
-}
-
-func Test_RegoScanning_Rule_Exception(t *testing.T) {
-	srcFS := CreateFS(t, map[string]string{
-		"policies/test.rego": `
-package defsec.test
-deny_evil {
-    input.evil
-}
-`,
-		"policies/exceptions.rego": `
-package defsec.test
-
-exception[rules] {
-    rules := ["evil"]
-}
-`,
-	})
-
-	scanner := rego.NewScanner(
-		types.SourceJSON,
-		rego.WithPolicyDirs("policies"),
-	)
-	require.NoError(t, scanner.LoadPolicies(srcFS))
-
-	results, err := scanner.ScanInput(context.TODO(), rego.Input{
-		Path: "/evil.lol",
-		Contents: map[string]any{
-			"evil": true,
-		},
-	})
-	require.NoError(t, err)
-
-	assert.Empty(t, results.GetFailed())
-	assert.Empty(t, results.GetPassed())
-	assert.Len(t, results.GetIgnored(), 1)
-}
-
-func Test_RegoScanning_Rule_Exception_WithoutMatch(t *testing.T) {
-	srcFS := CreateFS(t, map[string]string{
-		"policies/test.rego": `
-package defsec.test
-deny_evil {
-    input.evil
-}
-`,
-		"policies/exceptions.rego": `
-package defsec.test
-
-exception[rules] {
-    rules := ["good"]
-}
-`,
-	})
-
-	scanner := rego.NewScanner(
-		types.SourceJSON,
-		rego.WithPolicyDirs("policies"),
-	)
-	require.NoError(t, scanner.LoadPolicies(srcFS))
-
-	results, err := scanner.ScanInput(context.TODO(), rego.Input{
-		Path: "/evil.lol",
-		Contents: map[string]any{
-			"evil": true,
-		},
-	})
-	require.NoError(t, err)
-
-	assert.Len(t, results.GetFailed(), 1)
-	assert.Empty(t, results.GetPassed())
-	assert.Empty(t, results.GetIgnored())
-}
-
 func Test_RegoScanning_WithRuntimeValues(t *testing.T) {

 	t.Setenv("DEFSEC_RUNTIME_VAL", "AOK")