-
Notifications
You must be signed in to change notification settings - Fork 705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce 'environment' header key to SCE checks #12734
Conversation
Skipping CI for Draft Pull Request. |
This adds a new mechanism that allow content authors to control the execution of SCE checks depending on environment. They can use the `environment` key to disable running their SCE check during a build of a bootable container image, or on contrary, disable running the SCE check outside of the bootable container image build environment. We need to distinguish generic SCE checks from SCE checks that are meant to be executed only during the "podman build" phase of the bootable containers. We need to have a way to specify that some code is special for this environment. This way, we will prevent using SCE checks that require DBUS or other special SCE checks. Also, it will prevent using SCE checks that are designed only for the bootable containers to be executed in other scenarios. This change depends on this OpenSCAP PR: OpenSCAP/openscap#2189
Extracts code to separate functions. Reduces code complexity and addresses Code Climate problem.
Do not depend on setting the environment variable OSCAP_BOOTC_BUILD by oscap. Instead, detect the bootable container build process by a direct check in SCE script code.
Change the default value of the `environment` header to `any`. Using `any` does not modify the built content therefore this PR won't modify the existing SCE checks unless we add the `environment` header explicitly.
Code Climate has analyzed commit b0be6f8 and detected 2 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 68.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.6% (0.0% change). View more on Code Climate. |
The code climate fail is a false positive - the reported duplicates aren't duplicates. |
I verified that the built SCE checks are properly wrapped into if condition based on the |
025fba1
into
ComplianceAsCode:master
This adds a new mechanism that allow content authors to control the execution of SCE checks depending on environment. They can use the
environment
key to disable running their SCE check during a build of a bootable container image, or on contrary, disable running the SCE check outside of the bootable container image build environment.We need to distinguish generic SCE checks from SCE checks that are meant to be executed only during the "podman build" phase of the bootable containers. We need to have a way to specify that some code is special for this environment. This way, we will prevent using SCE checks that require DBUS or other special SCE checks. Also, it will prevent using SCE checks that are designed only for the bootable containers to be executed in other situations.
Update: The detection is performed by the bash code in SCE directly. It doesn't depend on environment variables anymore.