Skip to content

Use rule short_failure_message as fallback for evaluation failure message #5933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Use rule short_failure_message as fallback for evaluation failure message #5933

wants to merge 2 commits into from
+217 −3

Conversation

@JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Oct 25, 2025

Summary

In deny-by-default rego evaluations, when no custom message is provided by the rule writer, the evaluator now falls back to the rule's short_failure_message if available, instead of always defaulting to "denied".

This provides better error messages to users when rule evaluations fail, as they will see the descriptive short_failure_message from the rule definition rather than a generic "denied" message.

Changes

  • Added shortFailureMessage field to denyByDefaultEvaluator struct
  • Modified parseResult to use cmp.Or() with short_failure_message as fallback before "denied"
  • Created WithShortFailureMessage() Option function to pass the message to the evaluator
  • Updated NewRuleEvaluator to pass short_failure_message option when creating rego evaluators

Example

Before: Rule failures would show "denied"

After: Rule failures show the descriptive message from the rule type, e.g.:

  • "License file does not match the expected license type"
  • "Malicious package found"
  • Falls back to "denied" only if no short_failure_message is defined

Test Plan

  • ✅ All existing tests pass
  • ✅ Linter passes with auto-fixes applied
  • ✅ Manual verification of fallback chain: custom message → short_failure_message → "denied"

Related Issues

Fixes #4718

🤖 Generated with Claude Code

@coveralls
Copy link

Coverage Status

coverage: 58.035% (+0.06%) from 57.972%
when pulling fce50a2 on JAORMX:feature/use-short-failure-message-4718
into 1b9742c on mindersec:main.

evankanderson
evankanderson reviewed Oct 27, 2025
View reviewed changes
Copy link
Member

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this needs a rebase, but I like the idea, and I was wondering why we didn't do it earlier. 😁

I was also going to ask about whether we should do this for violations, but that already collects messages as part of its operation, so we don't need this kind of fallback, though we could replace "Evaluation failures:" with the short failure message if we wanted.

JAORMX and others added 2 commits October 27, 2025 20:32
@JAORMX @claude
Use rule short_failure_message as fallback for evaluation failure mes…
128bbfc 
…sage

In deny-by-default rego evaluations, when no custom message is provided
by the rule writer, the evaluator now falls back to the rule's
short_failure_message if available, instead of always defaulting to
"denied".

This provides better error messages to users when rule evaluations fail,
as they will see the descriptive short_failure_message from the rule
definition rather than a generic "denied" message.

Changes:
- Added shortFailureMessage field to denyByDefaultEvaluator struct
- Modified parseResult to use cmp.Or() with short_failure_message as
  fallback before "denied"
- Created WithShortFailureMessage() Option function to pass the message
  to the evaluator
- Updated NewRuleEvaluator to pass short_failure_message option when
  creating rego evaluators

Fixes mindersec#4718

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@JAORMX
Add comprehensive unit tests for short_failure_message fallback
ceaca8c 
Add three new test functions to thoroughly test the short_failure_message
fallback behavior in deny-by-default rego evaluations:

- TestDenyByDefaultWithShortFailureMessage: Tests the complete fallback
  chain (custom message > short_failure_message > "denied") with 4 scenarios
- TestDenyByDefaultShortFailureMessageOnlyAppliedToDenyByDefault: Verifies
  that the option is silently ignored for constraints evaluator
- TestDenyByDefaultShortFailureMessageWithEntityName: Tests that entity
  names are properly included in error details

Also enhanced the godoc for WithShortFailureMessage() to clearly document
the fallback priority, when the option applies, and its type-specific
behavior.

All tests pass and linting is clean.
@JAORMX JAORMX force-pushed the feature/use-short-failure-message-4718 branch from fce50a2 to ceaca8c Compare October 27, 2025 18:32
@JAORMX JAORMX marked this pull request as ready for review October 27, 2025 18:32
@JAORMX JAORMX requested a review from a team as a code owner October 27, 2025 18:32
evankanderson
evankanderson approved these changes Oct 28, 2025
View reviewed changes
internal/engine/eval/eval.go
}
return jq.NewJQEvaluator(e.GetJq(), opts...)
case rego.RegoEvalType:
// Add short_failure_message as an option if available
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can actually store this always, since you use cmp.Or to combine this and the "denied".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evankanderson evankanderson evankanderson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use rule short failure message as fallback for evaluation failure message

3 participants

@JAORMX @coveralls @evankanderson