Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Triage policy check warnings

Browse Source
This commit is contained in:
Micha
2026-05-26 19:42:01 +02:00
parent a3d77d7529
commit eea2697ca1
6 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ops/policy-checks/check_repo.ps1
+6 -1
View File
@@ -253,7 +253,11 @@ function Test-ServicePolicies {
}
if ($service.Image -match ':[Ll]atest(?:[-@]|$)') {
Add-Finding -Findings $Findings -Severity 'warning' -Code 'IMAGE001' -Target $targetBase -Message 'Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.'
if (($service.Image -match '@sha256:') -and (Test-IdentityMatch -Service $service -Candidates $Exceptions.allowed_mutable_tag_identities)) {
Add-Finding -Findings $Findings -Severity 'info' -Code 'IMAGE002' -Target $targetBase -Message 'Image uses a latest tag but is digest-pinned and documented as an exception.'
} else {
Add-Finding -Findings $Findings -Severity 'warning' -Code 'IMAGE001' -Target $targetBase -Message 'Image uses a latest tag. Prefer a concrete version tag, even when a digest is present.'
}
}
$isDataService = $false
@@ -362,6 +366,7 @@ $exceptionsRaw = Get-Content -LiteralPath $exceptionsPath -Raw | ConvertFrom-Jso
$exceptions = @{
middleware_exempt_identities = @($exceptionsRaw.middleware_exempt_identities)
allowed_root_identities = @($exceptionsRaw.allowed_root_identities)
allowed_mutable_tag_identities = @($exceptionsRaw.allowed_mutable_tag_identities)
allowed_privileged_identities = @($exceptionsRaw.allowed_privileged_identities)
allowed_host_network_identities = @($exceptionsRaw.allowed_host_network_identities)
allowed_host_port_identities = @{}