defsec schema #5371
itaysk
started this conversation in
Development
defsec schema
#5371
Replies: 1 comment 8 replies
-
Can we clarify again what we want to validate the input for?
Is there something else? The current approach achieves No.2 as we have JSON schema, while No.1 is not achieved because the schema is now generated based on the engine, and the validation won't fail. Am I understanding correctly? Itay suggested defining the data model separated from the engine, right? |
Beta Was this translation helpful? Give feedback.
8 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
After discussing with @simar7 (cc @nikpivkin ), I understand that:
This feels backwards to me, and defeats the goal of having input validation and type checking, since the schema will always satisfy the validator/type-checker even if there's a mistake.
The schema should be a reflection for the data model, and should be generated from it.
Also, the schema today is shipped with the defsec checks bundle. The bundle has a different lifecycle than Trivy, and that is also not good.
The schema should be a contract from the engine to the checks. This will create clear boundaries between checks and the engine and naturally solve some existing and potential issues (also mentioned here #4197).
Proposed solution:
Beta Was this translation helpful? Give feedback.
All reactions