fix all namespace issue

joejstuart · joejstuart · commit 7021c95451e5 · 2025-07-17T16:38:00.000-05:00
diff --git a/cmd/validate/image.go b/cmd/validate/image.go
@@ -322,6 +322,12 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 				log.Debugf("Fetching policy source group '%s'", sourceGroup.Name)
 				policySources := source.PolicySourcesFrom(sourceGroup)
 
+				// ─── DIAGNOSTIC: Log source group details ───────────────────
+				log.Infof("DIAGNOSTIC: Creating evaluator for source group: %s", sourceGroup.Name)
+				log.Infof("DIAGNOSTIC: Source group config: %+v", sourceGroup.Config)
+				log.Infof("DIAGNOSTIC: Source group ruleData: %+v", sourceGroup.RuleData)
+				// ─────────────────────────────────────────────────────────────
+
 				for _, policySource := range policySources {
 					log.Debugf("policySource: %#v", policySource)
 				}
diff --git a/internal/evaluator/conftest_evaluator.go b/internal/evaluator/conftest_evaluator.go
@@ -308,6 +308,12 @@ func NewConftestEvaluatorWithNamespace(ctx context.Context, policySources []sour
 	}
 
 	c.include, c.exclude = computeIncludeExclude(source, p)
+
+	// ─── DIAGNOSTIC: Log include/exclude criteria ─────────────────────
+	log.Infof("DIAGNOSTIC: Include criteria: %+v", c.include)
+	log.Infof("DIAGNOSTIC: Exclude criteria: %+v", c.exclude)
+	// ───────────────────────────────────────────────────────────────────
+
 	dir, err := utils.CreateWorkDir(fs)
 	if err != nil {
 		log.Debug("Failed to create work dir!")
@@ -432,6 +438,8 @@ func (c conftestEvaluator) Evaluate(ctx context.Context, target EvaluationTarget
 	filters := filterFactory.CreateFilters(c.source)
 	filteredNamespaces := filterNamespaces(rules, filters...)
 
+	// ──────────────────────────────────────────────────────────────────
+
 	var r testRunner
 	var ok bool
 	if r, ok = ctx.Value(runnerKey).(testRunner); r == nil || !ok {
@@ -440,14 +448,34 @@ func (c conftestEvaluator) Evaluate(ctx context.Context, target EvaluationTarget
 		allNamespaces := true
 		namespaceToUse := c.namespace
 
+		// ─── DIAGNOSTIC: Print type and value of c.namespace ───────────
+		log.Infof("DEBUG: c.namespace type=%T value=%#v", c.namespace, c.namespace)
+		// ───────────────────────────────────────────────────────────────
+
 		// If we have filtered namespaces from the filtering system, use those
 		if len(filteredNamespaces) > 0 {
 			namespaceToUse = filteredNamespaces
 			allNamespaces = false
+			log.Infof("DIAGNOSTIC: Using filtered namespaces path")
 		} else if len(c.namespace) > 0 {
 			allNamespaces = false
+			log.Infof("DIAGNOSTIC: Using c.namespace path")
+		} else {
+			// ─── FIX: Prevent leak when no namespaces pass filtering ─────
+			// When filteredNamespaces is empty, we should not run conftest with AllNamespaces=true
+			// as this would evaluate ALL namespaces, bypassing our filtering.
+			// Instead, use an empty namespace list to prevent any evaluation.
+			namespaceToUse = []string{}
+			allNamespaces = false
+			log.Infof("DEBUG: Entered FIX path - this should always print if no namespaces are present")
+			// ─────────────────────────────────────────────────────────────
 		}
 
+		// ─── DIAGNOSTIC: Log namespace configuration ──────────────────
+		log.Infof("DIAGNOSTIC: namespaceToUse = %v", namespaceToUse)
+		log.Infof("DIAGNOSTIC: allNamespaces = %v", allNamespaces)
+		// ───────────────────────────────────────────────────────────────
+
 		r = &conftestRunner{
 			runner.TestRunner{
 				Data:          []string{c.dataDir},
@@ -461,6 +489,13 @@ func (c conftestEvaluator) Evaluate(ctx context.Context, target EvaluationTarget
 		}
 	}
 
+	// ─── DIAGNOSTIC: Log conftest runner configuration ───────────────
+	if cr, ok := r.(*conftestRunner); ok {
+		log.Infof("DIAGNOSTIC: Conftest runner config: Policy=%v, Namespace=%v, AllNamespaces=%v",
+			cr.TestRunner.Policy, cr.TestRunner.Namespace, cr.TestRunner.AllNamespaces)
+	}
+	// ──────────────────────────────────────────────────────────────────
+
 	log.Debugf("runner: %#v", r)
 	log.Debugf("inputs: %#v", target.Inputs)
 
@@ -504,6 +539,11 @@ func (c conftestEvaluator) Evaluate(ctx context.Context, target EvaluationTarget
 			warning := result.Warnings[i]
 			addRuleMetadata(ctx, &warning, rules)
 
+			// ─── DIAGNOSTIC: Log warning result filtering ─────────────────
+			log.Infof("DIAGNOSTIC: Warning result from namespace %s - included: %v",
+				result.Namespace, c.isResultIncluded(warning, target.Target, missingIncludes))
+			// ─────────────────────────────────────────────────────────────
+
 			if !c.isResultIncluded(warning, target.Target, missingIncludes) {
 				log.Debugf("Skipping result warning: %#v", warning)
 				continue
@@ -520,6 +560,11 @@ func (c conftestEvaluator) Evaluate(ctx context.Context, target EvaluationTarget
 			failure := result.Failures[i]
 			addRuleMetadata(ctx, &failure, rules)
 
+			// ─── DIAGNOSTIC: Log failure result filtering ─────────────────
+			log.Infof("DIAGNOSTIC: Failure result from namespace %s - included: %v",
+				result.Namespace, c.isResultIncluded(failure, target.Target, missingIncludes))
+			// ─────────────────────────────────────────────────────────────
+
 			if !c.isResultIncluded(failure, target.Target, missingIncludes) {
 				log.Debugf("Skipping result failure: %#v", failure)
 				continue
