chore(gates): store whether the attestation was gated

app/cli/cmd/workflow_workflow_run_describe.go

@@ -165,6 +165,9 @@ func workflowRunDescribeTableOutput(run *action.WorkflowRunItemFull) error {
 	if att.PolicyEvaluationStatus.Blocked {
 		gt.AppendRow(table.Row{"Run Blocked", att.PolicyEvaluationStatus.Blocked})
 	}
+	if att.PolicyEvaluationStatus.HasGatedViolations {
+		gt.AppendRow(table.Row{"Run Gated", text.Colors{text.FgHiRed}.Sprint(att.PolicyEvaluationStatus.HasGatedViolations)})
+	}
 	if att.PolicyEvaluationStatus.Strategy == action.PolicyViolationBlockingStrategyEnforced {
 		gt.AppendRow(table.Row{"Policy enforcement bypassed", att.PolicyEvaluationStatus.Bypassed})
 	}

app/cli/pkg/action/workflow_run_describe.go

@@ -64,10 +64,11 @@ type WorkflowRunAttestationItem struct {
 }
 
 type PolicyEvaluationStatus struct {
-	Strategy      string `json:"strategy"`
-	Bypassed      bool   `json:"bypassed"`
-	Blocked       bool   `json:"blocked"`
-	HasViolations bool   `json:"has_violations"`
+	Strategy           string `json:"strategy"`
+	Bypassed           bool   `json:"bypassed"`
+	Blocked            bool   `json:"blocked"`
+	HasViolations      bool   `json:"has_violations"`
+	HasGatedViolations bool   `json:"has_gated_violations"`
 }
 
 type Material struct {
@@ -236,10 +237,11 @@ func (action *WorkflowRunDescribe) Run(ctx context.Context, opts *WorkflowRunDes
 		Digest:            att.DigestInCasBackend,
 		PolicyEvaluations: evaluations,
 		PolicyEvaluationStatus: &PolicyEvaluationStatus{
-			Strategy:      policyEvaluationStatus.Strategy,
-			Bypassed:      policyEvaluationStatus.Bypassed,
-			Blocked:       policyEvaluationStatus.Blocked,
-			HasViolations: policyEvaluationStatus.HasViolations,
+			Strategy:           policyEvaluationStatus.Strategy,
+			Bypassed:           policyEvaluationStatus.Bypassed,
+			Blocked:            policyEvaluationStatus.Blocked,
+			HasViolations:      policyEvaluationStatus.HasViolations,
+			HasGatedViolations: policyEvaluationStatus.HasGatedViolations,
 		},
 	}
 

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -116,6 +116,7 @@ message AttestationItem {
     bool bypassed = 2;
     bool blocked = 3;
     bool has_violations = 4;
+    bool has_gated_violations = 5;
   }
 
   message EnvVariable {

app/controlplane/internal/service/attestation.go

@@ -553,10 +553,11 @@ func bizAttestationToPb(att *biz.Attestation) (*cpAPI.AttestationItem, error) {
 		Annotations:        predicate.GetAnnotations(),
 		PolicyEvaluations:  extractPolicyEvaluations(predicate.GetPolicyEvaluations()),
 		PolicyEvaluationStatus: &cpAPI.AttestationItem_PolicyEvaluationStatus{
-			Strategy:      string(policyEvaluationStatus.Strategy),
-			Bypassed:      policyEvaluationStatus.Bypassed,
-			Blocked:       policyEvaluationStatus.Blocked,
-			HasViolations: policyEvaluationStatus.HasViolations,
+			Strategy:           string(policyEvaluationStatus.Strategy),
+			Bypassed:           policyEvaluationStatus.Bypassed,
+			Blocked:            policyEvaluationStatus.Blocked,
+			HasViolations:      policyEvaluationStatus.HasViolations,
+			HasGatedViolations: policyEvaluationStatus.HasGatedViolations,
 		},
 		Bundle: att.Bundle,
 	}, nil

app/controlplane/pkg/biz/referrer.go

@@ -300,12 +300,14 @@ func extractReferrers(att *dsse.Envelope, digest cr_v1.Hash, repo ReferrerRepo)
 	// We add both annotations and workflow metadata
 	attestationReferrer.Annotations = predicate.GetAnnotations()
 	hasViolations := predicate.GetPolicyEvaluationStatus().HasViolations
+	hasGatedViolations := predicate.GetPolicyEvaluationStatus().HasGatedViolations
 	attestationReferrer.Metadata = map[string]string{
 		// workflow name, team and project
 		"name":                     predicate.GetMetadata().Name,
 		"team":                     predicate.GetMetadata().Team,
 		"project":                  predicate.GetMetadata().Project,
 		"hasPolicyViolations":      fmt.Sprintf("%t", hasViolations),
+		"hasGatedPolicyViolations": fmt.Sprintf("%t", hasGatedViolations),
 		"projectVersion":           predicate.GetMetadata().ProjectVersion,
 		"projectVersionPrerelease": fmt.Sprintf("%t", predicate.GetMetadata().ProjectVersionPrerelease),
 		"organization":             predicate.GetMetadata().Organization,

app/controlplane/pkg/biz/referrer_integration_test.go

@@ -257,6 +257,7 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 			"project":                  "test",
 			"team":                     "my-team",
 			"organization":             "my-org",
+			"hasGatedPolicyViolations": "false",
 			"hasPolicyViolations":      "false",
 			"projectVersion":           "",
 			"projectVersionPrerelease": "false",

app/controlplane/pkg/biz/referrer_test.go

@@ -103,6 +103,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 						"project":                  "foo",
 						"projectVersion":           "",
 						"projectVersionPrerelease": "false",
+						"hasGatedPolicyViolations": "false",
 						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
@@ -157,6 +158,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 						"project":                  "bar",
 						"projectVersion":           "",
 						"projectVersionPrerelease": "false",
+						"hasGatedPolicyViolations": "false",
 						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
@@ -193,6 +195,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 						"project":                  "foo",
 						"projectVersion":           "",
 						"projectVersionPrerelease": "false",
+						"hasGatedPolicyViolations": "false",
 						"hasPolicyViolations":      "false",
 					},
 					Annotations: map[string]string{
@@ -257,6 +260,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 						"project":                  "test",
 						"projectVersion":           "",
 						"projectVersionPrerelease": "false",
+						"hasGatedPolicyViolations": "false",
 						"hasPolicyViolations":      "false",
 					},
 					References: []*Referrer{

pkg/attestation/renderer/chainloop/chainloop.go

@@ -54,6 +54,8 @@ type PolicyEvaluationStatus struct {
 	Blocked bool
 	// Whether the attestation has policy violations
 	HasViolations bool
+	// Whether the attestation has gated policy violations
+	HasGatedViolations bool
 }
 
 type NormalizedMaterial struct {

pkg/attestation/renderer/chainloop/v02.go

@@ -48,6 +48,8 @@ type ProvenancePredicateV02 struct {
 
 	// Whether the attestation has policy violations
 	PolicyHasViolations bool `json:"policyHasViolations"`
+	// Whether the attestation has policy violations in gated policies
+	PolicyHasGatedViolations bool `json:"policyHasGatedViolations,omitempty"`
 	// Whether we want to block the attestation on policy violations
 	PolicyCheckBlockingStrategy PolicyViolationBlockingStrategy `json:"policyCheckBlockingStrategy"`
 	// Whether the policy check was bypassed
@@ -248,6 +250,7 @@ func (r *RendererV02) predicate() (*structpb.Struct, error) {
 		Materials:                   normalizedMaterials,
 		PolicyEvaluations:           policies,
 		PolicyHasViolations:         hasViolations,
+		PolicyHasGatedViolations:    gated,
 		PolicyCheckBlockingStrategy: policyCheckBlockingStrategy,
 		PolicyBlockBypassEnabled:    r.att.GetBypassPolicyCheck(),
 		PolicyAttBlocked:            blocked,
@@ -413,10 +416,11 @@ func (p *ProvenancePredicateV02) GetPolicyEvaluations() map[string][]*PolicyEval
 
 func (p *ProvenancePredicateV02) GetPolicyEvaluationStatus() *PolicyEvaluationStatus {
 	return &PolicyEvaluationStatus{
-		Strategy:      p.PolicyCheckBlockingStrategy,
-		Bypassed:      p.PolicyBlockBypassEnabled,
-		Blocked:       p.PolicyAttBlocked,
-		HasViolations: p.PolicyHasViolations,
+		Strategy:           p.PolicyCheckBlockingStrategy,
+		Bypassed:           p.PolicyBlockBypassEnabled,
+		Blocked:            p.PolicyAttBlocked,
+		HasViolations:      p.PolicyHasViolations,
+		HasGatedViolations: p.PolicyHasGatedViolations,
 	}
 }