fix a bug where failed expressions would recompile on every event #690
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
📝 WalkthroughWalkthroughAdded logging and caching of nil on compile/program-creation failures and introduced nil-program guards across CEL evaluation paths; evaluation skips expressions cached as nil and returns empty string on nil evaluation output. Event-type pre-filtering removal from map-based evaluation is retained. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@pkg/rulemanager/cel/cel.go`:
- Around line 131-142: The code currently unconditionally sets
c.programCache[expression.Expression] = nil on any evaluation error from
program.Eval, which can permanently disable a valid expression; instead, remove
the unconditional cache invalidation and only invalidate the cache for
permanent/compilation errors by checking the error type (e.g., perform a type
assertion against known permanent error types from the CEL/xcel package such as
compile/static-check errors) before acquiring c.cacheMutex and setting
c.programCache[expression.Expression] = nil; for all other runtime/transient
errors return the error without mutating the cache and add a brief comment near
program.Eval explaining the rationale.
♻️ Duplicate comments (3)
pkg/rulemanager/cel/cel.go (3)
169-178: Nil check is correct; same eval-error caching concern applies.The nil program guard is appropriate. The cache invalidation on evaluation error (lines 175-177) has the same concern as noted in
EvaluateRule.
194-214: Nil check is correct; same eval-error caching concern applies.The nil program guard is appropriate for
EvaluateExpressionByMap. The cache invalidation on evaluation error has the same concern as noted earlier.
225-235: Nil check is correct; same eval-error caching concern applies.The nil program guard is appropriate for
EvaluateExpression. The cache invalidation on evaluation error has the same concern as noted earlier.
matthyx
reviewed
Jan 20, 2026
matthyx
reviewed
Jan 20, 2026
matthyx
reviewed
Jan 20, 2026
matthyx
requested changes
Jan 20, 2026
Signed-off-by: Yakir Oren <yakiroren@gmail.com>
YakirOren
force-pushed
the
fix/failed-rule-recompilation
branch
from
ad52a70 to
4493860
Compare
matthyx
approved these changes
Feb 2, 2026
Darkflame72
pushed a commit
to Darkflame72/home-ops
that referenced
this pull request
Feb 10, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [kubescape-operator](https://kubescape.io/) ([source](https://redirect.github.com/kubescape/helm-charts)) | patch | `1.30.2` → `1.30.3` | --- ### Release Notes <details> <summary>kubescape/helm-charts (kubescape-operator)</summary> ### [`v1.30.3`](https://redirect.github.com/kubescape/helm-charts/releases/tag/kubescape-operator-1.30.3) [Compare Source](https://redirect.github.com/kubescape/helm-charts/compare/kubescape-operator-1.30.2...kubescape-operator-1.30.3) Kubescape is an E2E Kubernetes cluster security platform #### What's Changed - chore: adding the ability to adjust the source of busybox by [@​drew-viles](https://redirect.github.com/drew-viles) in [#​784](https://redirect.github.com/kubescape/helm-charts/pull/784) - add k8s context tag by [@​YakirOren](https://redirect.github.com/YakirOren) in [#​785](https://redirect.github.com/kubescape/helm-charts/pull/785) - run system tests from private repo by [@​bvolovat](https://redirect.github.com/bvolovat) in [#​786](https://redirect.github.com/kubescape/helm-charts/pull/786) - add stream logs and wait for tests finish by [@​bvolovat](https://redirect.github.com/bvolovat) in [#​787](https://redirect.github.com/kubescape/helm-charts/pull/787) - fix attempt by [@​bvolovat](https://redirect.github.com/bvolovat) in [#​788](https://redirect.github.com/kubescape/helm-charts/pull/788) - Update 02-e2e-test.yaml by [@​armobot](https://redirect.github.com/armobot) in [#​789](https://redirect.github.com/kubescape/helm-charts/pull/789) - Run test from private repo by [@​bvolovat](https://redirect.github.com/bvolovat) in [#​791](https://redirect.github.com/kubescape/helm-charts/pull/791) - add workflow\_call by [@​bvolovat](https://redirect.github.com/bvolovat) in [#​792](https://redirect.github.com/kubescape/helm-charts/pull/792) - add startup probe by [@​YakirOren](https://redirect.github.com/YakirOren) in [#​793](https://redirect.github.com/kubescape/helm-charts/pull/793) - <kubescape/kubescape@v3.0.47...v3.0.48> - Fix typos in documentation by [@​oglok](https://redirect.github.com/oglok) in [kubescape/kubescape#1913](https://redirect.github.com/kubescape/kubescape/pull/1913) - fix: Kustomize directory analysis not working by [@​majiayu000](https://redirect.github.com/majiayu000) in [kubescape/kubescape#1914](https://redirect.github.com/kubescape/kubescape/pull/1914) - feat: Define labels to copy from workloads to reports by [@​majiayu000](https://redirect.github.com/majiayu000) in [kubescape/kubescape#1915](https://redirect.github.com/kubescape/kubescape/pull/1915) - Add SkipPersistence flag to MetricsQueryParams in metrics endpoint by [@​BroderPeters](https://redirect.github.com/BroderPeters) in [kubescape/kubescape#1917](https://redirect.github.com/kubescape/kubescape/pull/1917) - ci: update scorecard action version by [@​AndrewCharlesHay](https://redirect.github.com/AndrewCharlesHay) in [kubescape/kubescape#1918](https://redirect.github.com/kubescape/kubescape/pull/1918) - update test lists by [@​amirmalka](https://redirect.github.com/amirmalka) in [kubescape/kubescape#1919](https://redirect.github.com/kubescape/kubescape/pull/1919) - build(deps): Bump github.com/sigstore/cosign/v3 from 3.0.3-0.20251208232815-901b44d65952 to 3.0.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/kubescape#1920](https://redirect.github.com/kubescape/kubescape/pull/1920) - Update build number retrieval and permissions in workflow by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/kubescape#1921](https://redirect.github.com/kubescape/kubescape/pull/1921) - Fix workload scan to include allcontrols framework by [@​Copilot](https://redirect.github.com/Copilot) in [kubescape/kubescape#1922](https://redirect.github.com/kubescape/kubescape/pull/1922) - build(deps): Bump github.com/sigstore/fulcio from 1.8.4 to 1.8.5 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/kubescape#1923](https://redirect.github.com/kubescape/kubescape/pull/1923) - Fix panic on unsafe interface{} to string type assertions by [@​Copilot](https://redirect.github.com/Copilot) in [kubescape/kubescape#1926](https://redirect.github.com/kubescape/kubescape/pull/1926) - build(deps): Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/kubescape#1927](https://redirect.github.com/kubescape/kubescape/pull/1927) - build(deps): Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/kubescape#1928](https://redirect.github.com/kubescape/kubescape/pull/1928) - <kubescape/operator@v0.2.121...v0.2.126> - bump version by [@​jnathangreeg](https://redirect.github.com/jnathangreeg) in [kubescape/operator#349](https://redirect.github.com/kubescape/operator/pull/349) - Fix comment typo in checkECRRegistry function to clarify \_catalog end… by [@​jnathangreeg](https://redirect.github.com/jnathangreeg) in [kubescape/operator#351](https://redirect.github.com/kubescape/operator/pull/351) - add permissions by [@​bvolovat](https://redirect.github.com/bvolovat) in [kubescape/operator#352](https://redirect.github.com/kubescape/operator/pull/352) - bump github.com/armosec/armoapi-go v0.0.673 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/operator#353](https://redirect.github.com/kubescape/operator/pull/353) - bump github.com/kubescape/go-logger v0.0.26 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/operator#354](https://redirect.github.com/kubescape/operator/pull/354) - bump github.com/goradd/maps v1.3.0 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/operator#355](https://redirect.github.com/kubescape/operator/pull/355) - <kubescape/kubevuln@v0.3.98...v0.3.104> - replace debian 12 with debian 13 when building container images by [@​pfarikrispy](https://redirect.github.com/pfarikrispy) in [kubescape/kubevuln#317](https://redirect.github.com/kubescape/kubevuln/pull/317) - Add comprehensive documentation and governance by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/kubevuln#318](https://redirect.github.com/kubescape/kubevuln/pull/318) - Bump github.com/cilium/cilium from 1.16.9 to 1.16.17 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/kubevuln#319](https://redirect.github.com/kubescape/kubevuln/pull/319) - Add timeout to Grype DB update with graceful fallback to prevent indefinite readiness probe failures by [@​Copilot](https://redirect.github.com/Copilot) in [kubescape/kubevuln#320](https://redirect.github.com/kubescape/kubevuln/pull/320) - Prevent DB update cancellation on readiness probe by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/kubevuln#321](https://redirect.github.com/kubescape/kubevuln/pull/321) - <kubescape/storage@v0.0.237...v0.0.239> - feat: handle large object storage by clearing spec and updating annotations by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/storage#279](https://redirect.github.com/kubescape/storage/pull/279) - bump k8s version to v0.35.0 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/storage#280](https://redirect.github.com/kubescape/storage/pull/280) - <kubescape/node-agent@v0.3.11...v0.3.36> - feat: propagate IsTriggerAlert field from rules to runtime alerts by [@​slashben](https://redirect.github.com/slashben) in [kubescape/node-agent#686](https://redirect.github.com/kubescape/node-agent/pull/686) - Generating release by [@​slashben](https://redirect.github.com/slashben) in [kubescape/node-agent#688](https://redirect.github.com/kubescape/node-agent/pull/688) - Feature/rule engine redesign by [@​YakirOren](https://redirect.github.com/YakirOren) in [kubescape/node-agent#685](https://redirect.github.com/kubescape/node-agent/pull/685) - refactor: update cloud metadata types to use armotypes package by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#689](https://redirect.github.com/kubescape/node-agent/pull/689) - Replace host sensor with node agent sensing by [@​Bezbran](https://redirect.github.com/Bezbran) in [kubescape/node-agent#681](https://redirect.github.com/kubescape/node-agent/pull/681) - use k8s-interface by [@​Bezbran](https://redirect.github.com/Bezbran) in [kubescape/node-agent#691](https://redirect.github.com/kubescape/node-agent/pull/691) - optimize header parsing and add early return in ruleAppliesToContext by [@​YakirOren](https://redirect.github.com/YakirOren) in [kubescape/node-agent#692](https://redirect.github.com/kubescape/node-agent/pull/692) - improve field accessor retrieval with nil checks and type assertions by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#694](https://redirect.github.com/kubescape/node-agent/pull/694) - Bump github.com/sigstore/sigstore from 1.9.5 to 1.10.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [kubescape/node-agent#696](https://redirect.github.com/kubescape/node-agent/pull/696) - Add Azure ResourceGroup enrichment to CloudMetadata by [@​slashben](https://redirect.github.com/slashben) in [kubescape/node-agent#697](https://redirect.github.com/kubescape/node-agent/pull/697) - Add unit tests for Azure ResourceGroup parsing by [@​slashben](https://redirect.github.com/slashben) in [kubescape/node-agent#698](https://redirect.github.com/kubescape/node-agent/pull/698) - remove toMap function by [@​YakirOren](https://redirect.github.com/YakirOren) in [kubescape/node-agent#693](https://redirect.github.com/kubescape/node-agent/pull/693) - run system test from private repo by [@​bvolovat](https://redirect.github.com/bvolovat) in [kubescape/node-agent#700](https://redirect.github.com/kubescape/node-agent/pull/700) - bump: update golang-set dependency to v2.8.0 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#701](https://redirect.github.com/kubescape/node-agent/pull/701) - bump: update armoapi-go dependency to v0.0.671 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#702](https://redirect.github.com/kubescape/node-agent/pull/702) - update the tests\_groups by [@​bvolovat](https://redirect.github.com/bvolovat) in [kubescape/node-agent#703](https://redirect.github.com/kubescape/node-agent/pull/703) - bump: update dependencies for backend, storage, and OpenAPI packages by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#704](https://redirect.github.com/kubescape/node-agent/pull/704) - update chart repo by [@​bvolovat](https://redirect.github.com/bvolovat) in [kubescape/node-agent#705](https://redirect.github.com/kubescape/node-agent/pull/705) - bump: update cel-go dependency to v0.26.1 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#706](https://redirect.github.com/kubescape/node-agent/pull/706) - Implement ClusterUID enrichment for runtime alerts by [@​slashben](https://redirect.github.com/slashben) in [kubescape/node-agent#708](https://redirect.github.com/kubescape/node-agent/pull/708) - fix a bug where failed expressions would recompile on every event by [@​YakirOren](https://redirect.github.com/YakirOren) in [kubescape/node-agent#690](https://redirect.github.com/kubescape/node-agent/pull/690) - fix container watcher error propagation by [@​YakirOren](https://redirect.github.com/YakirOren) in [kubescape/node-agent#709](https://redirect.github.com/kubescape/node-agent/pull/709) - add permissions by [@​bvolovat](https://redirect.github.com/bvolovat) in [kubescape/node-agent#710](https://redirect.github.com/kubescape/node-agent/pull/710) - upgrade to IG v0.48.1 by [@​matthyx](https://redirect.github.com/matthyx) in [kubescape/node-agent#695](https://redirect.github.com/kubescape/node-agent/pull/695) - <kubescape/synchronizer@v0.0.127...v0.0.128> - perf: optimize memory usage by avoiding string-to-byte conversions by [@​amirmalka](https://redirect.github.com/amirmalka) in [kubescape/synchronizer#135](https://redirect.github.com/kubescape/synchronizer/pull/135) #### New Contributors - [@​drew-viles](https://redirect.github.com/drew-viles) made their first contribution in [#​784](https://redirect.github.com/kubescape/helm-charts/pull/784) - [@​YakirOren](https://redirect.github.com/YakirOren) made their first contribution in [#​785](https://redirect.github.com/kubescape/helm-charts/pull/785) - [@​armobot](https://redirect.github.com/armobot) made their first contribution in [#​789](https://redirect.github.com/kubescape/helm-charts/pull/789) - [@​pfarikrispy](https://redirect.github.com/pfarikrispy) made their first contribution in [kubescape/kubevuln#317](https://redirect.github.com/kubescape/kubevuln/pull/317) - [@​bvolovat](https://redirect.github.com/bvolovat) made their first contribution in [kubescape/operator#352](https://redirect.github.com/kubescape/operator/pull/352) - [@​oglok](https://redirect.github.com/oglok) made their first contribution in [kubescape/kubescape#1913](https://redirect.github.com/kubescape/kubescape/pull/1913) - [@​majiayu000](https://redirect.github.com/majiayu000) made their first contribution in [kubescape/kubescape#1914](https://redirect.github.com/kubescape/kubescape/pull/1914) - [@​BroderPeters](https://redirect.github.com/BroderPeters) made their first contribution in [kubescape/kubescape#1917](https://redirect.github.com/kubescape/kubescape/pull/1917) - [@​AndrewCharlesHay](https://redirect.github.com/AndrewCharlesHay) made their first contribution in [kubescape/kubescape#1918](https://redirect.github.com/kubescape/kubescape/pull/1918) - [@​Bezbran](https://redirect.github.com/Bezbran) made their first contribution in [kubescape/node-agent#681](https://redirect.github.com/kubescape/node-agent/pull/681) - [@​bvolovat](https://redirect.github.com/bvolovat) made their first contribution in [kubescape/node-agent#700](https://redirect.github.com/kubescape/node-agent/pull/700) **Full Changelog**: <kubescape/helm-charts@kubescape-operator-1.30.2...kubescape-operator-1.30.3> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/Darkflame72/home-ops). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUvaGVsbSIsInR5cGUvcGF0Y2giXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit