Expose matched rule description after policy evaluation#67
Open
annacai21 wants to merge 14 commits into
Open
Conversation
|
iamluc
reviewed
Jun 24, 2026
| if (existing && existing[0] != '\0') { | ||
| return; | ||
| } | ||
| const char *description = NULL; |
There was a problem hiding this comment.
Have you discussed the possibility of generating the description in the backend instead?
Contributor
Author
There was a problem hiding this comment.
Yes, the concern was that generating on the backend would make it harder to include runtime context (which arg matched, what value triggered the rule, etc.), since that information is only available at injection time. It would also require the backend to maintain an enum -> description mapping, meaning policy changes would need to be coordinated across repos. I'd lean toward keeping it in dd-policy-engine for those reasons, but if you have other thoughts let me know!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
After a policy evaluates to
TRUE, callers had no way to know which specific rule triggered the match. This PR surfaces that information throughplcs_eval_ctx_get_matched_description().Hardcoded policies (from the injector JSON) carry pre-written descriptions on every leaf node (e.g.
"[skip] Apache Cassandra — JVM main class matches '...'""). Remote config policies ship with no descriptions, so the engine synthesizes one from the evaluator's field label, comparator, and value (e.g."entry point class matches 'org.example.App'"). In both casesevaluate_policyprepends[skip]or[allow]when the description doesn't already start with[.Changes
eval_ctx.h/cmatched_descriptiontoplcs_eval_ctx, reset toNULLinplcs_eval_ctx_reset()plcs_eval_ctx_get_matched_description()for callers (e.g. auto_inject action callbacks)action_entry.errorfield andplcs_eval_ctx_set_action_error()evaluator.ccapture_matched_description(): called at eachBOOL_ORshort-circuit, recursed throughBOOL_NOTnodes to reach their child, and called on the last TRUE child after aBOOL_ANDloop completesStrEvaluator's field label + comparator + value when no description string is present in the binaryevaluate_policyprepends[skip]/[allow]based on the first action'sActionId, unless the description already starts with[Tests
test_matched_description.json: four policies covering nested OR capture, flat OR capture, AND last-true-child capture, and synthesized description (bare-bones node with no description)test_matched_description_policies.h: compiled FlatBuffers binary of the abovetest_evaluator.cunderevaluator_matched_descriptionNotes
matched_descriptionis reset at the start of eachevaluate_policycall — must be read inside an action callback when usingplcs_evaluate_bufferacross multiple policiesNULLif no policy matcheshttps://datadoghq.atlassian.net/browse/INPLAT-1155