feat: glob ignores for workload checks#160
Merged
Merged
Conversation
Two small follow-ups from code review on Batch A: - Doc comment on ChecksConfig listing the four places a new workload check must be added (struct, Clone impl, build_compiled tuple, WorkloadFinding impl). Compiler doesn't catch missing Clone or build_compiled additions. - Rename validate_compiles_globs_lazily_and_errors_on_invalid → validate_rejects_invalid_globs. validate() eagerly calls compiled(); the "lazily" in the old name actively misleads readers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…egate ignore to filter
…t test Two follow-ups from Batch B code review: - integration.rs: post-Task-6, ignored K8S002 findings are constructed then dropped to the suppressed bucket. Tighten the assertion from `let _ = ...` to assert_eq!(suppressed.min_replicas.len(), 1). - findings.rs: trivial default-state test for KubernetesSuppressed::total() — load-bearing in Batch D's output gating. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…essed Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…with --show-suppressed Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ON suppressed key
The hand-copied --help blocks at the top of analyze and create playbook sections didn't list the new flag. Updated to match runtime output. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Expands the
.eksup.yamlignoremechanism in two ways: glob patterns on name/namespace selectors, and coverage of all 8 workload-level checks (was 2). Resolves #157.name: "foo-*",namespace: "*-dev*", brace expansion ({a,b}), character classes ([abc]) — anywhere a name+namespace selector is accepted. Backward-compatible: literal strings still work as exact-match.ignore(was 2): K8S002, K8S003, K8S004, K8S005, K8S006, K8S007, K8S008, K8S013. Cluster-level checks (AWS001-005, EKS001-010, K8S001, K8S009, K8S010, K8S011, K8S012) deliberately don't support name/namespace ignore — their findings flag the cluster as a whole.checks.allblock for cross-cutting rules (e.g., suppress everything in*-dev*namespaces).--show-suppressedCLI flag exposes what config has hidden — addresses the silent-suppression risk that scales badly with glob ignores. Tabular output shows a footer count by default; the flag renders the full table inline.suppressed:top-level key for machine introspection (#[serde(rename = "suppressed")]onResults.kubernetes_suppressed).threshold_forreturns just the threshold and the post-construction filter handles ignore.K8s004Configremoved — collapsed into sharedWorkloadCheckConfig.Out of scope (called out in issue reply): regex, label selectors, severity overrides, cluster-level check disable. No version bump (per project convention).
Test plan
cargo +nightly fmt --all --checkpassescargo clippy --all-targets --all-features -- -D warningspassescargo test --allpasses — 241 tests including ~20 new (8 filter tests, glob compile tests, threshold_for tests, k8s012 rejection test, suppressed total test)cargo xtask generate-all --checkpasses.eksup.yamlconfigs parse and behave identically--show-suppressedflag visible ineksup analyze --helpandeksup create playbook --helpeksup completion <shell>matches committedcompletions/*byte-for-byte (verified viadiff).eksup.yamlwithchecks.all+ per-check globs parses cleanly (failure is at AWS auth, not at config)🤖 Generated with Claude Code