feat(report): Apply ignore policies from a directory

[dstrelbytskyi]

Description

This expands the --ignore-policy option functionality. If a directory path specified as the option value it recursively finds *.rego files in the the directory and applies each found policy file for the results filtration.
It's backward compatible, it can still take a single Rego file.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[DmitriyLewen]

Hello @dstrelbytskyi
Thanks for your work!

Left couple of notes.
Please take a look when you have time.

Regards, Dmitriy

[DmitriyLewen]

@dstrelbytskyi
Thanks for your work!

@knqyf263 take a look, when you have time, please.

[dstrelbytskyi]

Hey @DmitriyLewen . Is there any queue for the contributions to be reviewed/merged?
Just not sure what's the next step.
Thanks.

[DmitriyLewen]

Hello @dstrelbytskyi
We have a lot of work to do now.

When @knqyf263 has time to check this PR, he will merge it.

[knqyf263]

Suggested change

	log.Logger.Warnf("No ignore policies found in %q", policiesPath)
	log.Warn("No ignore policies found", log.String("dir", pliciesPath))

[knqyf263]

IMHO, loading all Rego files together and evaluating the policies collectively is more intuitive for Rego users than loading and repeatedly evaluating individual Rego files. The current implementation may not work correctly if variable definitions are spread across multiple files.

To address this, using the rego.Load() function to load all Rego files from a directory recursively would be more appropriate. This ensures that all files are considered together, allowing for proper resolution of variables, rules, and dependencies.

However, since I've been away from OPA recently, I would greatly appreciate insights from @simar7 to ensure the correctness and effectiveness of this approach.

[simar7]

+1 I'd also like to mention that running .PrepareForEval() (and the eventual evaluation itself) is an expensive operation. Doing it recursively on a directory that is user defined to load all files that match the Rego extension, whether relevant or not, can be costly.

However if we go down the route of loading all rego files via rego.Load() as @knqyf263 mentioned, I'm not sure if we can have multiple checks that can contain the same default as the compiler will error out. Since Rego checks often contain defaults that result in "fail-close" type of checks, this would be a common occurrence (e.g. multiple checks having default allow=false).

Maybe a safer route is to allow this flag to have values that can be a list of filenames rather than a directory? This would limit the scope of rego files that get loaded and evaluated.

[knqyf263]

Okay, we need to understand the use case precisely. @dstrelbytskyi Could you elaborate on it?