ada/agentguard-ci
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
agentguard-ci/docs/plans/phase3-step3-enforcement.md
T
Elizabeth W a9224a41c1 note to split into multiple files
2026-04-19 22:29:53 -06:00

1.3 KiB
Raw Permalink Blame History

Implementation Plan: Policy Enforcement

Objective

Implement the final task that parses the aggregated results and decides whether to Pass or Fail the Argo Workflow based on the fail-on-cvss input threshold.

Requirements

  • Define a task template named enforce-policy.
  • Depend on the completion of the upload tasks (Phase 3 Steps 1 & 2).
  • Mount the shared PVC at /workspace.
  • Read the input parameter fail-on-cvss (e.g., 7.0).
  • Run a script (Python, jq, etc.) to parse all the reports in /workspace/reports/.
  • If any vulnerability is found with a CVSS score >= the threshold, print an error summary and exit with a non-zero code (causing the Argo Workflow to fail).
  • If no vulnerabilities exceed the threshold, print a success summary and exit with 0.

Agent Instructions

  1. Add the enforce-policy template to the ClusterWorkflowTemplate.
  2. Write the parsing logic inside the task (e.g., extracting CVSS scores from SARIF and JSON formats).
  3. Ensure this step acts as the final gatekeeper for the pipeline.
  4. CRITICAL: File Splitting: Do NOT put everything into one giant file! Split your YAML manifests or configurations into separate, smaller files (e.g. using separate Helm template files, configmaps, or helper scripts) to prevent exhausting the context window.
Reference in New Issue View Git Blame Copy Permalink