Skip to content

feat(misconf): Add support for configurable Rego error limit #9657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(misconf): Add support for configurable Rego error limit #9657

wants to merge 1 commit into from

Conversation

@simar7
Copy link
Member

@simar7 simar7 commented Oct 14, 2025
edited
Loading

Description

feat(misconf): Add support for configurable Rego error limit

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 14, 2025
@aqua-bot aqua-bot requested a review from a team October 14, 2025 01:27
simar7
simar7 commented Oct 14, 2025
View reviewed changes
pkg/flag/rego_flags.go
ConfigName: "rego.error-limit",
Usage: "maximum number of compile errors allowed during Rego policy evaluation",
TelemetrySafe: true,
Default: ast.CompileErrorLimitDefault,
Copy link
Member Author

@simar7 simar7 Oct 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nikpivkin Should we set this to a high amount? Default is 10 by OPA. Some thoughts below.

Pros: If we set this to a higher amount most users won't need to change anything in case they are using a older trivy version with a newer checks bundle.

Cons: It will silently hide any errors and may have unforeseen side effects post compilation. We do remove uncompilable checks prior to evaluation but since we are overriding the compilation to go through without any error limits, we may end up in an unexpected state.

It will also let users use older versions for a longer period of time by simply them not noticing any breakage due to a higher allowable error limit. This may make them comfortable using older trivy versions for even longer as they may have no desire to update, for instance to get new checks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting it to 10 seems fine — it preserves OPA’s default behavior, avoids silently hiding too many errors, and reduces the risk of unforeseen issues while still being reasonable for most users.

@simar7
Copy link
Member Author

simar7 commented Oct 14, 2025

📊 API Changes Detected

Semver impact: major

github.com/aquasecurity/trivy/pkg/misconf
  Compatible changes:
  - ScannerOption.RegoErrorLimit: added

github.com/aquasecurity/trivy/pkg/fanal/image/registry/google
  Incompatible changes:
  - GoogleRegistryClient.Store: changed from github.com/GoogleCloudPlatform/docker-credential-gcr/v2/store.GCRCredStore to github.com/GoogleCloudPlatform/docker-credential-gcr/store.GCRCredStore

github.com/aquasecurity/trivy/pkg/flag
  Compatible changes:
  - Options.ErrorLimit: added
  - RegoErrorLimitFlag: added
  - RegoFlagGroup.ErrorLimit: added
  - RegoOptions.ErrorLimit: added

github.com/aquasecurity/trivy/rpc/cache
  Incompatible changes:
  - (*BlobInfo).GetBuildInfo: removed
  - BlobInfo.BuildInfo: removed

github.com/aquasecurity/trivy/rpc/common
  Incompatible changes:
  - (*Vulnerability).GetCustomAdvisoryData: changed from func() *google.golang.org/protobuf/types/known/structpb.Value to func() []byte
  - (*Vulnerability).GetCustomVulnData: changed from func() *google.golang.org/protobuf/types/known/structpb.Value to func() []byte
  - BuildInfo: removed
  - Vulnerability.CustomAdvisoryData: changed from *google.golang.org/protobuf/types/known/structpb.Value to []byte
  - Vulnerability.CustomVulnData: changed from *google.golang.org/protobuf/types/known/structpb.Value to []byte

github.com/aquasecurity/trivy/pkg/config/aws
  Incompatible changes:
  - EndpointResolver: removed
  - LoadDefaultAWSConfig: removed
  - MakeAWSOptions: removed

github.com/aquasecurity/trivy/pkg/sbom/io
  Incompatible changes:
  - EncoderOption: removed
  - ForceRegenerate: removed
  - NewEncoder: changed from func(...EncoderOption) *Encoder to func(github.com/aquasecurity/trivy/pkg/sbom/core.Options) *Encoder
  - WithBOMRef: removed
  - WithParents: removed

github.com/aquasecurity/trivy/pkg/cloud/aws/config
  Compatible changes:
  - EndpointResolver: added
  - LoadDefaultAWSConfig: added
  - MakeAWSOptions: added

github.com/aquasecurity/trivy/pkg/rpc
  Incompatible changes:
  - ConvertFromRPCBuildInfo: removed
  - ConvertToRPCBuildInfo: removed

@knqyf263 @DmitriyLewen is this correct? My PR involves no changes related to the changes that are mentioned in this comment.

@simar7 simar7 removed the request for review from a team October 14, 2025 01:34
@nikpivkin
Copy link
Contributor

@simar7 This is an incorrect API comparison. There is a PR with a fix for this, but it has not been merged yet. #9622

@simar7 simar7 marked this pull request as ready for review October 14, 2025 10:19
@aquasecurity aquasecurity deleted a comment from github-actions bot Oct 21, 2025
@knqyf263
Copy link
Collaborator

@knqyf263 @DmitriyLewen is this correct? My PR involves no changes related to the changes that are mentioned in this comment.

Sorry I missed it. I deleted the apidiff comments for now. After rebasing the main branch and pushing again, it should be correctly detected.

nikpivkin
nikpivkin reviewed Oct 21, 2025
View reviewed changes
pkg/misconf/scanner.go
Comment on lines +240 to +242
if opt.RegoErrorLimit > 0 {
opts = append(opts, rego.WithRegoErrorLimits(opt.RegoErrorLimit))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to allow setting an error limit equal to 0 for strictness?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh you mean the comparison should be >=0 if no errors are allowable? If so, I think that's a fair point and I can change it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's what I meant.

@nikpivkin
Copy link
Contributor

I think we should add an integration test for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikpivkin nikpivkin nikpivkin left review comments

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simar7 @nikpivkin @knqyf263