Skip to content

feat: add evaluation_mode field to YAML custom policy attribute checks #7421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nijdarshan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add evaluation_mode field to YAML custom policy attribute checks #7421

nijdarshan wants to merge 1 commit into from

Conversation

@nijdarshan
Copy link
Contributor

@nijdarshan nijdarshan commented Jan 23, 2026

Summary

  • Adds evaluation_mode field to YAML custom policy attribute checks
  • Supports any mode: check passes if at least one resource of the specified type matches the condition
  • Default behavior (all) is preserved - backward compatible
  • Fixes Custom YAML check for Dockerfile #7389

Problem

When creating a custom YAML check for Dockerfiles that checks for a specific RUN command, the check evaluates each RUN instruction independently. If a Dockerfile has multiple RUN instructions, the check passes for matching instructions but fails for non-matching ones - even if the intent is "at least one RUN must contain this command."

Solution

Add an optional evaluation_mode field to attribute check definitions:

metadata:
  id: "DOCKERFILE_1"
  name: "Ensure apt-get update exists"
  category: "APPLICATION_SECURITY"
definition:
  cond_type: attribute
  resource_types:
    - RUN
  attribute: value
  operator: contains
  value: "apt-get update"
  evaluation_mode: any  # NEW: passes if at least one RUN matches

Values

  • all (default): All matching resources must pass the condition (current behavior)
  • any: At least one matching resource must pass the condition

Implementation

  • BaseGraphCheck gets a new evaluation_mode field (default: "all")
  • GraphCheckParser parses and validates the field from YAML
  • BaseRegistry.run_check_parallel() applies per-file aggregation when mode is "any"
    • If any resource in a file passes, all resources of that type in the file pass
    • If no resource passes, one representative failure per file is reported

Test plan

  • Unit tests for evaluation_mode: any (pass when at least one matches)
  • Unit tests for evaluation_mode: any (fail when none match)
  • Unit tests confirming default mode behavior is unchanged
  • Tests run on both NETWORKX and RUSTWORKX graph frameworks
  • Existing Dockerfile tests pass
  • Existing checks_infra parser tests pass
  • CLI verification with real Dockerfiles

🤖 Generated with Claude Code

@nijdarshan
feat: add evaluation_mode field to YAML custom policy attribute checks
a8b08be 
Add support for `evaluation_mode: any` in YAML custom policy definitions,
enabling checks that pass if at least one resource matches the condition.

This addresses the limitation where Dockerfile YAML checks with multiple
RUN instructions would fail individually even when only checking for the
presence of a specific command in any instruction.

Fixes bridgecrewio#7389
@nijdarshan nijdarshan force-pushed the feature/evaluation-mode-yaml-checks branch from 83c8ae0 to a8b08be Compare January 23, 2026 17:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Custom YAML check for Dockerfile

1 participant

@nijdarshan