BCH-1296: AWS ECR compliance plugin

[saltpy-cs]

Summary

• Implements the plugin-aws-ecr binary — fetches ECR repository, registry, and image data via AWS SDK v2 and evaluates OPA policy bundles for each resource type
• Three resource types: ecr-repository (CONFIG), ecr-registry (CONFIG), ecr-image (DYNAMIC with 90-day lookback)
• Policy bundle behaviour mapping scopes the three split policy repos (ecr-repository-policies, ecr-registry-policies, ecr-image-policies) to their respective resource type evaluations
• GitHub Actions workflows restructured to match the four-file split pattern (test.yml / push.yml / build-and-upload.yml / release.yml) established in plugin-aws-acm

Test plan

• go test ./... passes
• go build ./... produces a valid binary
• e2e tests pass: eval $(aws configure export-credentials ...) && PLUGIN_REF=feat/BCH-1296 POLICY_REF=feat/BCH-1296 make e2e from local-dev/e2e/ecr-repository/
• Local env starts and agent emits evidence: make start && make inject from local-dev/envs/aws-ecr/

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Reorganized GitHub Actions workflows for improved reusability and maintainability.
  • Removed redundant go vet checks from testing pipeline.

• Changes

  • Updated ECR policy-to-behavior mappings for more granular control over repository, registry, and image policy validation.

[coderabbitai]

Warning

Review limit reached

@saltpy-cs, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 8 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 9baff300-7468-4e98-a1e2-a627cfedff83

📥 Commits

Reviewing files that changed from the base of the PR and between 30b4c12 and afacc4d.

📒 Files selected for processing (6)

• .github/workflows/build-and-upload.yml
• .github/workflows/ci.yml
• .github/workflows/push.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• main.go

📝 Walkthrough

Walkthrough

The PR refactors GitHub Actions CI/CD workflows into reusable components and refines policy evaluation scoping. Test and build-and-upload workflows are extracted as callable workflows, invoked by dedicated push and release dispatchers. The plugin policy-to-behavior mapping is updated to scope each bundle to a single behavior.

Changes

GitHub Actions Workflow Consolidation

Layer / File(s)	Summary
Reusable Test Workflow .github/workflows/test.yml	Test workflow converted to reusable via workflow_call, permissions moved to job level, and go vet step removed; now runs only checkout, Go setup, and go test ./....
Push Workflow Dispatcher .github/workflows/push.yml	New workflow invokes the test reusable workflow on pull_request and push events with contents: read permission.
Build and Upload Reusable Workflow .github/workflows/build-and-upload.yml	New reusable workflow runs GoReleaser (release --clean), installs gooci CLI, authenticates to GHCR with GITHUB_TOKEN, uploads dist/ to a version tag, and conditionally uploads latest tag when the git ref does not contain a hyphen.
Release Workflow Refactor .github/workflows/release.yml	Release job delegates to build-and-upload reusable workflow instead of inline steps; declares packages: write and contents: write permissions.

Policy Behavior Scoping

Layer / File(s)	Summary
Scoped Policy-Behavior Mapping main.go	defaultBehaviorMapping updated to map ecr-repository-policies only to repository behavior, ecr-registry-policies only to registry behavior, and ecr-image-policies only to image behavior; removes prior all-in-one bundle.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• compliance-framework/plugin-aws-ecr#3: Both PRs refine the plugin's Eval logic to use behavior-scoped policy-to-bundle mappings rather than a single unified bundle.

Poem

🐰 Workflows now call workflows, a dance of delegation divine,
Build and test split apart, each with a purpose fine,
Policies now scoped by behavior, no more bundled in one,
CI/CD architecture blooms—the refactoring is done! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'BCH-1296: AWS ECR compliance plugin' clearly identifies the main change: adding a new AWS ECR compliance plugin with CI/CD workflow restructuring.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

main.go (1)

124-130: 🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider skipping repository fetch when neither repository nor image policies are configured.

The registry (line 141) and image (line 155) fetch operations are conditional on their respective policy paths, but repository fetch always executes. When only registry policies are configured, this results in unnecessary DescribeRepositories API calls per region.

⚡ Proposed optimization to skip fetch when policies not needed

+	var repos []internal.RepositoryContext
+	if len(repositoryPaths) > 0 || len(imagePaths) > 0 {
 		// CONFIG — repository checks
-		repos, err := dataFetcher.FetchRepositories(ctx, region)
+		var err error
+		repos, err = dataFetcher.FetchRepositories(ctx, region)
 		if err != nil {
 			return &proto.EvalResponse{Status: proto.ExecutionStatus_FAILURE}, fmt.Errorf("region %s: fetching repositories: %w", region, err)
 		}
 
 		// Filter to configured accounts if any are specified.
 		repos = internal.FilterByAccounts(repos, l.config.Accounts)
+	}
 
+	if len(repositoryPaths) > 0 {
 		for _, repo := range repos {
 			evidences, err := policyEvaluator.EvalRepository(ctx, repo, repositoryPaths, l.policyData, l.config.PolicyLabels)
 			allEvidences = append(allEvidences, evidences...)
 			if err != nil {
 				evalErrors = errors.Join(evalErrors, fmt.Errorf("evaluating repository %s: %w", repo.RepositoryName, err))
 			}
 		}
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@main.go` around lines 124 - 130, The code always calls
dataFetcher.FetchRepositories(ctx, region) even when neither repository nor
image policies are configured, causing unnecessary DescribeRepositories calls;
update the logic in the block around FetchRepositories and
internal.FilterByAccounts to first check the config policy paths (e.g.,
l.config.RepositoryPolicyPath and l.config.ImagePolicyPath or whatever flags
indicate repository/image policy usage) and only call
dataFetcher.FetchRepositories when repository policies are configured or image
policies require repository metadata; if skipped, ensure repos is set to an
empty slice (or nil) so subsequent code that uses repos behaves correctly and
keep the existing error handling for FetchRepositories inside the guarded
branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-and-upload.yml:
- Around line 13-18: The workflow currently references actions by floating tags
`actions/checkout@v4` and `actions/setup-go@v5`; update these to immutable
commit SHAs by replacing the tag refs with the corresponding commit SHA values
(e.g., `actions/checkout@<SHA>` and `actions/setup-go@<SHA>`), then commit the
updated .github/workflows/build-and-upload.yml; ensure you pick SHAs that match
the intended release versions and add a note to add Dependabot/Renovate to keep
those SHAs updated.
- Around line 16-18: The workflow currently uses actions/setup-go@v5 with
go-version-file: go.mod which enables caching by default; for deterministic
release builds, add the setup-go input to disable caching (set cache to "none")
in the job that builds releases so the Go toolchain is installed without using
cached modules or toolchain state. Update the step referencing
actions/setup-go@v5 (the step that includes go-version-file: go.mod) to include
cache: "none" to ensure a clean build environment for release artifacts.
- Around line 30-31: Replace the direct template expansions in the "gooci Upload
Version" run command with environment variables and use proper shell quoting to
prevent injection: add env entries (e.g., UPLOAD_OWNER: ${{
github.repository_owner }}, UPLOAD_REPO: ${{ github.event.repository.name }},
UPLOAD_REF: ${{ github.ref_name }}) and change the run line in that step to call
gooci with a single, quoted image argument (e.g., gooci upload dist/
"ghcr.io/${UPLOAD_OWNER}/${UPLOAD_REPO}:${UPLOAD_REF}") so the expanded values
are treated as data, not code; reference the step name "gooci Upload Version"
and the run command when making the change.
- Around line 28-29: Replace the inline template expansion in the "Authenticate
gooci cli" step with environment variables to prevent shell injection: set env
entries (e.g., GITHUB_ACTOR and GITHUB_TOKEN) from ${{ github.actor }} and ${{
secrets.GITHUB_TOKEN }}, then call the same command using those env vars (use
quoted variable references like "$GITHUB_ACTOR" and "$GITHUB_TOKEN") so the run
step no longer directly expands template values into the shell.
- Around line 32-34: The "gooci Upload Latest" step is vulnerable to shell
injection because it expands github.repository_owner and
github.event.repository.name directly in the run line; fix it by moving those
GitHub expressions into step-level environment variables (e.g., OWNER and REPO)
and then call the upload with the env vars (quoting them) instead of inlining
expressions—update the step named "gooci Upload Latest" to set env: OWNER: ${{
github.repository_owner }} and REPO: ${{ github.event.repository.name }} and use
those variables in the run command (e.g., refer to $OWNER/$REPO:latest, quoted)
to prevent injection.

In @.github/workflows/release.yml:
- Around line 10-12: Remove the redundant permissions block from release.yml by
deleting the "permissions:" section that contains "packages: write" and
"contents: write" since those permissions are already provided by the called
reusable workflow; ensure no subsequent steps in release.yml rely on an
overridden permissions block after removal.

In @.github/workflows/test.yml:
- Around line 21-22: Restore a GitHub Actions step that runs go vet to re-enable
static analysis: add a step named "Vet" (or insert a run step into the existing
"Test" job) that executes "go vet ./..." prior to running "go test ./...";
ensure it runs after the Go setup (actions/setup-go) step so the Go toolchain is
available.
- Around line 14-20: The workflow uses unpinned third-party actions
(actions/checkout@v4 and actions/setup-go@v5); update those refs to pinned
commit SHAs (the full @<40-hex> ref) to harden the supply chain by replacing the
version tags with the corresponding commit SHA for each action (locate the SHA
on the action's GitHub repo or Marketplace and substitute it for
actions/checkout@v4 and actions/setup-go@v5), keeping the existing inputs like
persist-credentials and go-version-file unchanged.

---

Outside diff comments:
In `@main.go`:
- Around line 124-130: The code always calls dataFetcher.FetchRepositories(ctx,
region) even when neither repository nor image policies are configured, causing
unnecessary DescribeRepositories calls; update the logic in the block around
FetchRepositories and internal.FilterByAccounts to first check the config policy
paths (e.g., l.config.RepositoryPolicyPath and l.config.ImagePolicyPath or
whatever flags indicate repository/image policy usage) and only call
dataFetcher.FetchRepositories when repository policies are configured or image
policies require repository metadata; if skipped, ensure repos is set to an
empty slice (or nil) so subsequent code that uses repos behaves correctly and
keep the existing error handling for FetchRepositories inside the guarded
branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5aeda375-65ed-40d9-84fd-12c6b4c2c48a

📥 Commits

Reviewing files that changed from the base of the PR and between 2afe597 and 30b4c12.

📒 Files selected for processing (5)

• .github/workflows/build-and-upload.yml
• .github/workflows/push.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• main.go