add structured logging to PURL and sigstore Rego builtins by robnester-rh · Pull Request #3121 · conforma/cli · GitHub
Skip to content

add structured logging to PURL and sigstore Rego builtins#3121

Merged
robnester-rh merged 1 commit into
conforma:mainfrom
robnester-rh:EC-1668
Feb 24, 2026
Merged

add structured logging to PURL and sigstore Rego builtins#3121
robnester-rh merged 1 commit into
conforma:mainfrom
robnester-rh:EC-1668

Conversation

@robnester-rh

Copy link
Copy Markdown
Contributor

Add log.WithField("function", ...) to PURL and sigstore custom Rego builtin functions to ease troubleshooting. This follows the same pattern already used in the OCI builtin functions.

Functions updated:

  • ec.purl.is_valid
  • ec.purl.parse
  • ec.sigstore.verify_image
  • ec.sigstore.verify_attestation

Ref: EC-1668
Resolves: #1361

Add log.WithField("function", ...) to PURL and sigstore custom Rego
builtin functions to ease troubleshooting. This follows the same
pattern already used in the OCI builtin functions.

Functions updated:
- ec.purl.is_valid
- ec.purl.parse
- ec.sigstore.verify_image
- ec.sigstore.verify_attestation

Ref: EC-1668
Resolves: conforma#1361
Signed-off-by: Rob Nester <rnester@redhat.com>
@qodo-code-review

Copy link
Copy Markdown
Contributor

@qodo-code-review

qodo-code-review Bot commented Feb 23, 2026

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (2) 📎 Requirement gaps (1)

Grey Divider


Action required

1. Missing rfunc log field 📎 Requirement gap ✧ Quality
Description
The updated PURL Rego builtins enrich logs with field function instead of the required rfunc,
reducing traceability consistency across builtin logs. This violates the requirement for a
consistent logger field identifying the Rego function name.
Code

internal/rego/purl/purl.go[111]

+	logger := log.WithField("function", purlIsValidName)
Evidence
PR Compliance ID 7 requires adding a consistent rfunc field identifying the builtin function name,
but the added loggers use WithField("function", ...) in the modified PURL builtins.

All custom Rego builtin functions include a logger field identifying the Rego function name
internal/rego/purl/purl.go[111-111]
internal/rego/purl/purl.go[130-130]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The PURL custom Rego builtins add a logger field named `function`, but compliance requires a consistent field `rfunc` set to the builtin function name.

## Issue Context
Compliance requires using an enriched logger with a consistent field name (`rfunc`) for traceability across all custom Rego builtin logs.

## Fix Focus Areas
- internal/rego/purl/purl.go[111-145]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Raw PURL logged in debug 📘 Rule violation ⛨ Security
Description
The PURL input is logged verbatim as a structured field, which may contain sensitive or
user-provided data (e.g., qualifiers with URLs/tokens) and can leak into logs. This risks violating
the requirement that logs contain no sensitive data at any log level.
Code

internal/rego/purl/purl.go[118]

+	logger = logger.WithField("purl", string(uri))
Evidence
PR Compliance ID 5 requires that no sensitive data is present in logs; the modified code logs the
full raw purl input string without any redaction/sanitization.

Rule 5: Generic: Secure Logging Practices
internal/rego/purl/purl.go[118-118]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The code logs the full PURL string (`purl`) directly, which can unintentionally include sensitive or user-provided data in logs.

## Issue Context
Secure logging requires that sensitive data is not present in logs at any level. PURLs may include qualifiers that could embed URLs or tokens depending on usage.

## Fix Focus Areas
- internal/rego/purl/purl.go[118-118]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. Raw image ref logged 📘 Rule violation ⛨ Security
Description
The sigstore builtins log the full image reference string as ref, which may reveal sensitive
environment details (e.g., private registry/repository identifiers) and is unredacted external
input. This can conflict with the requirement to avoid sensitive data in logs.
Code

internal/rego/sigstore/sigstore.go[121]

+	logger = logger.WithField("ref", string(uri))
Evidence
PR Compliance ID 5 prohibits sensitive data in logs; the modified code logs the full ref string
provided to the builtin without redaction or minimization.

Rule 5: Generic: Secure Logging Practices
internal/rego/sigstore/sigstore.go[121-121]
internal/rego/sigstore/sigstore.go[190-190]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The code logs the full image reference string (`ref`) directly, which may expose private registry/repo identifiers or other sensitive context.

## Issue Context
Secure logging requires avoiding sensitive data in logs at any log level; external inputs should be minimized or redacted.

## Fix Focus Areas
- internal/rego/sigstore/sigstore.go[121-121]
- internal/rego/sigstore/sigstore.go[190-190]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

Comment thread internal/rego/purl/purl.go
@codecov

codecov Bot commented Feb 23, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 92.30769% with 2 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/rego/sigstore/sigstore.go 87.50% 2 Missing ⚠️
Flag Coverage Δ
acceptance 55.55% <61.53%> (-0.01%) ⬇️
generative 18.51% <0.00%> (-0.04%) ⬇️
integration 27.49% <0.00%> (-0.06%) ⬇️
unit 68.43% <92.30%> (+0.04%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
internal/rego/purl/purl.go 100.00% <100.00%> (ø)
internal/rego/sigstore/sigstore.go 93.62% <87.50%> (-0.53%) ⬇️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@robnester-rh robnester-rh merged commit 3a2f6e8 into conforma:main Feb 24, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add log field to all custom Rego builtin functions

2 participants