Feat/attestation and compliance risks#2094
Open
refoo0 wants to merge 25 commits into
Open
Conversation
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an attestation-driven compliance evaluation flow and persists the resulting findings as first-class “compliance risks”, while removing the legacy “policies” DB-backed feature (tables, models, controllers, mocks, and routes). It wires the new services into the daemon pipeline and exposes new API endpoints for listing/triaging/evaluating compliance risks and listing attestations per artifact.
Changes:
- Add compliance risk persistence + APIs (model/repository/service/controller/router) and extend vuln events to support compliance-risk eventing.
- Add DevGuard “asset metrics” attestation generation and artifact compliance evaluation into the daemon pipeline.
- Remove the old
policiessystem (DB tables + Go models/repos/controllers/routes + mocks) and update related tests/mocks.
Reviewed changes
Copilot reviewed 58 out of 58 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| transformer/compliance_risk_transformer.go | Adds model→DTO conversion for compliance risks including artifact associations. |
| tests/project_controller_test.go | Updates project-creation tests after policy removal (currently still references removed association). |
| tests/fx_test_helpers.go | Extends daemon runner fixture wiring for new services. |
| tests/fx_test_app.go | Adds new service/repository fields to the test app container. |
| shared/common_interfaces.go | Introduces/extends shared interfaces for attestation/compliance/compliance-risk and removes policy interfaces. |
| services/providers.go | Registers new services in the Fx module. |
| services/compliance_service.go | Implements artifact compliance evaluation based on attestations + embedded policy bundle. |
| services/compliance_risk_service.go | Implements SARIF→risk conversion, diffing, and event/state transitions for compliance risks. |
| services/attestation_service.go | Adds attestation service + generation of DevGuard “asset metrics” attestation from statistics. |
| router/router_test.go | Updates security router tests to remove policy/compliance controllers and adjust artifact routing. |
| router/providers.go | Registers the compliance risk router. |
| router/project_router.go | Removes policy routes from project scope. |
| router/org_router.go | Removes policy routes from org scope. |
| router/compliance_risk_router.go | Adds routes for listing/triaging/evaluating/uploading compliance risks per asset version. |
| router/asset_version_router.go | Removes legacy compliance endpoints. |
| router/asset_router.go | Removes legacy compliance endpoints. |
| router/artifact_router.go | Adds per-artifact attestation listing route. |
| mocks/mock_VulnDBImportService.go | Removes obsolete generated mock. |
| mocks/mock_ReportingDescriptorReference.go | Removes obsolete generated mock. |
| mocks/mock_ProjectRepository.go | Removes obsolete policy-enable/disable mock methods. |
| mocks/mock_PolicyRepository.go | Removes obsolete generated mock. |
| mocks/mock_ExternalPropertyFileReference.go | Removes obsolete generated mock. |
| mocks/mock_ComplianceService.go | Adds generated mock for new ComplianceService interface. |
| mocks/mock_ComplianceRiskService.go | Adds generated mock for new ComplianceRiskService interface. |
| mocks/mock_ComplianceRiskRepository.go | Adds generated mock for new ComplianceRiskRepository interface. |
| mocks/mock_AttestationService.go | Adds generated mock for new AttestationService interface. |
| mocks/mock_AttestationRepository.go | Extends generated mock to match updated AttestationRepository API. |
| dtos/vulnevent_dto.go | Adds complianceRisk to vuln-type enum. |
| dtos/policy_dto.go | Removes policy DTO. |
| dtos/devguard_asset_attestation_schema.json | Adds JSON schema for DevGuard “asset metrics” attestation. |
| dtos/devguard_asset_attestation_dto.go | Adds DTO for DevGuard “asset metrics” attestation (currently includes a likely typo key). |
| dtos/compliance_risk_dto.go | Adds DTOs for compliance risks and detailed compliance risks. |
| docs/evaluations-schema.json | Adds schema for uploaded evaluation results (currently mismatched with server implementation). |
| database/repositories/providers.go | Wires in compliance risk repository and removes policy repository provider. |
| database/repositories/project_repository.go | Removes project policy enable/disable helpers. |
| database/repositories/policy_repository.go | Removes policy repository. |
| database/repositories/compliance_risk_repository.go | Adds compliance risk repository implementation (paged listing, read with preloads, apply+save, etc.). |
| database/repositories/attestation_repository.go | Adds artifact+version+assetID attestation query method. |
| database/models/vulnevent_model.go | Adds compliance_risk_id support and integrates it into vuln ID/type helpers. |
| database/models/project_model.go | Removes EnabledPolicies relationship from Project model. |
| database/models/policy_model.go | Removes policy model. |
| database/models/compliance_risk_model.go | Adds ComplianceRisk model + hashing + events/artifacts associations. |
| database/migrations/20260602000000_add_compliance_risks_drop_policies.up.sql | Drops old policy tables, creates compliance risk tables, and extends vuln_events constraint/FD. |
| daemons/providers.go | Adds new daemon runner dependencies for attestation/compliance/risk services. |
| daemons/daemon_asset_pipeline.go | Adds pipeline stages for generating attestations and checking compliance. |
| daemons/attestation_daemon.go | Implements new pipeline stages (currently contains an unused constant). |
| controllers/providers.go | Removes policy/compliance controllers and registers compliance risk controller. |
| controllers/policy_controller.go | Removes policy controller. |
| controllers/compliance_risk_controller.go | Adds compliance risk CRUD/list/triage and zip upload endpoints (currently uses shared GetVulnID which doesn’t support complianceRiskID). |
| controllers/compliance_controller.go | Removes legacy compliance controller. |
| controllers/attestation_test.go | Updates tests to use AttestationService instead of AttestationRepository. |
| controllers/attestation_controller.go | Refactors controller to depend on AttestationService and adds ListByArtifact endpoint. |
| compliance/rego.go | Refactors compliance evaluation to use embedded policy bundle and adds SARIF generation helpers. |
| compliance/rego_test.go | Updates tests for new compliance API and adds SARIF de-duplication tests. |
| compliance/attestation-compliance-policies/policies/vulnerability_fix_time_sla.rego | Adds a new built-in compliance policy for MTTR SLA thresholds. |
| cmd/devguard-scanner/scanner/eval_policy.go | Refactors scanner policy eval to use embedded policy bundle (currently breaks --policy path/to/file.rego). |
| cmd/devguard-scanner/scanner/eval_policy_test.go | Removes obsolete test file. |
| cmd/devguard-scanner/commands/attestations.go | Updates CLI to pass policy directory (currently incompatible with embedded-FS loading). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.