fix(baseline): wrap CEL expressions with has() guards (closes #220)#258
Merged
mlieberman85 merged 1 commit intoMay 14, 2026
Merged
Conversation
…oss#220) The CEL expressions for two OpenSSF Baseline controls assumed fields that GitHub's API does not always return. When a non-admin token hits /orgs/<org> (OSPS-AC-01.01) or /repos/.../protection (OSPS-AC-03.02), the response omits the queried key entirely and the evaluator raises KeyError instead of falling through to the next pass. Fix wraps both expressions with has() guards, matching the pattern already in use elsewhere in this TOML (e.g. OSPS-AC-03.01 at line 2563). Missing fields now evaluate to false → INCONCLUSIVE → pipeline falls through to the manual pass (the existing fallback in both controls), which surfaces as WARN. Conservative-by-default holds: nothing pretends to PASS without a verified-positive signal. - OSPS-AC-01.01 (RequireMFA): has(...two_factor_requirement_enabled) - OSPS-AC-03.02 (PreventBranchDeletion): chained has() because both the outer `allow_deletions` key AND the inner `.enabled` leaf may be missing independently Adds 7 regression tests in a new TestIssue220HasGuards class covering pass / fail / outer-missing / inner-missing / value-missing for both expressions. The "missing key does not crash" tests are the canonical guards against this bug recurring. Verification: - ruff check: clean - full suite: 2115 passed (7 new) / 6 skipped / 0 failed - validate_sync.py: PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #220. Two CEL expressions in `openssf-baseline.toml` accessed GitHub API fields without checking for their presence first, and crashed with `KeyError` whenever the API response omitted them — which happens routinely for non-admin tokens or orgs that hide 2FA settings.
The pattern matches an existing one in the same TOML (OSPS-AC-03.01 at line 2563): `has(output.json.enabled) && output.json.enabled == true`. Both affected controls already have a `manual` pass as their second-phase fallback, so missing fields now produce INCONCLUSIVE → fall through → WARN, rather than a hard crash. Conservative-by-default (Constitution Principle II) holds: nothing pretends to PASS without a verified-positive signal.
Test plan
🤖 Generated with Claude Code