fix: better comments

jonathandavies-CS · jonathandavies-CS · commit 4beca4ce404a · 2025-09-16T09:12:48.000+01:00
diff --git a/policies/critical_vulnerabilities_count/critical_vulnerabilities_count.rego b/policies/critical_vulnerabilities_count/critical_vulnerabilities_count.rego
@@ -10,7 +10,7 @@ violation[{}] if {
 		alert.security_vulnerability.severity == "critical"
 	]
 
-	# If there are 3 or more such alerts, then deny.
+	# If there are 2 or more such alerts, then deny.
 	count(open_alerts) >= 2
 }
 
diff --git a/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal.rego b/policies/low_vulnerabilities_dismissal/low_vulnerabilities_dismissal.rego
@@ -6,7 +6,7 @@ violation[{}] if {
 	working_day_now_ns := time_ext.reduce_day_ns(time.now_ns())
 	three_months_ago := working_day_now_ns - (84 * time_ext.one_day_ns)
 
-	# Build a set of low alerts that have been open for more than 5 working days.
+	# Check there exists a low alert that has been open for more than 5 working days.
 	some alert in input.alerts
 	alert.state == "open"
 	alert.security_vulnerability.severity == "low"
diff --git a/policies/medium_vulnerabilities_count/medium_vulnerabilities_count.rego b/policies/medium_vulnerabilities_count/medium_vulnerabilities_count.rego
@@ -4,9 +4,13 @@ import future.keywords.in
 
 violation[{}] if {
 	# Build a set of alerts that are open and with a medium severity.
-	some alert in input.alerts
-	alert.state == "open"
-	alert.security_vulnerability.severity == "medium"
+	open_alerts := [alert |
+		some alert in input.alerts
+		alert.state == "open"
+		alert.security_vulnerability.severity == "medium"
+	]
+
+	count(open_alerts) >= 5
 }
 
 title := "Limit amount of medium vulnerabilities"
diff --git a/policies/vulnerabilities_dismissed_by_security_team/vulnerabilities_dismissed_by_security_team.rego b/policies/vulnerabilities_dismissed_by_security_team/vulnerabilities_dismissed_by_security_team.rego
@@ -3,12 +3,13 @@ package vulnerabilities_dismissed_by_security_team
 violation[{}] if {
 	input.security_team_members != null
 
-	# Build a set of alerts that have been dismissed by someone not in the security team
 	some alert in input.alerts
 	in_security_team := [team_member |
 		some team_member in input.security_team_members
 		alert.dismissed_by.login == team_member.login
 	]
+
+	# Ensure there is no team member that has dismissed an alert who is not part of the security team
 	count(in_security_team) == 0
 }
 
diff --git a/policies/vulnerability_dismissal_count/vulnerability_dimissal_count.rego b/policies/vulnerability_dismissal_count/vulnerability_dimissal_count.rego
@@ -1,13 +1,12 @@
 package vulnerability_dismissal_count
 
 violation[{}] if {
-	# Build a set of alerts that have been dismissed_alerts
+	# Build a set of alerts that have been dismissed
 	dismissed_alerts := [alert |
 		some alert in input.alerts
 		alert.dismissed_at != null
 	]
 
-	# If there are 10 or more dismissed alerts, deny
 	count(dismissed_alerts) >= 10
 }
 
diff --git a/policies/vulnerability_patch_available/vulnerability_patch_available.rego b/policies/vulnerability_patch_available/vulnerability_patch_available.rego
@@ -1,7 +1,7 @@
 package vulnerability_patch_available
 
 violation[{}] if {
-	# Build a set of alerts that have been dismissed, but a patch is available
+	# Check if there are any dismissed alerts that have patches available
 	some alert in input.alerts
 	alert.dismissed_at != null
 	alert.security_vulnerability.first_patched_version != null

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ violation[{}] if {`
`10`	`10`	`alert.security_vulnerability.severity == "critical"`
`11`	`11`	`]`
`12`	`12`
`13`		`- # If there are 3 or more such alerts, then deny.`
	`13`	`+ # If there are 2 or more such alerts, then deny.`
`14`	`14`	`count(open_alerts) >= 2`
`15`	`15`	`}`
`16`	`16`
Original file line number	Diff line number	Diff line change
`@@ -3,12 +3,13 @@ package vulnerabilities_dismissed_by_security_team`
`3`	`3`	`violation[{}] if {`
`4`	`4`	`input.security_team_members != null`
`5`	`5`
`6`		`- # Build a set of alerts that have been dismissed by someone not in the security team`
`7`	`6`	`some alert in input.alerts`
`8`	`7`	`in_security_team := [team_member \|`
`9`	`8`	`some team_member in input.security_team_members`
`10`	`9`	`alert.dismissed_by.login == team_member.login`
`11`	`10`	`]`
	`11`	`+`
	`12`	`+ # Ensure there is no team member that has dismissed an alert who is not part of the security team`
`12`	`13`	`count(in_security_team) == 0`
`13`	`14`	`}`
`14`	`15`
Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,12 @@`
`1`	`1`	`package vulnerability_dismissal_count`
`2`	`2`
`3`	`3`	`violation[{}] if {`
`4`		`- # Build a set of alerts that have been dismissed_alerts`
	`4`	`+ # Build a set of alerts that have been dismissed`
`5`	`5`	`dismissed_alerts := [alert \|`
`6`	`6`	`some alert in input.alerts`
`7`	`7`	`alert.dismissed_at != null`
`8`	`8`	`]`
`9`	`9`
`10`		`- # If there are 10 or more dismissed alerts, deny`
`11`	`10`	`count(dismissed_alerts) >= 10`
`12`	`11`	`}`
`13`	`12`