From fda5b3143622d3a5820be40a6c9bae92052f7c27 Mon Sep 17 00:00:00 2001
From: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Date: Tue, 12 May 2026 11:19:31 -0300
Subject: [PATCH 1/2] fix: policy behavior when no data capture

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
---
 policies/gh_org_ip_allowlist_enabled.rego      |  7 ++++++-
 policies/gh_org_ip_allowlist_enabled_test.rego | 14 ++++++++++++--
 policies/gh_org_sso_enabled.rego               |  6 +++++-
 policies/gh_org_sso_enabled_test.rego          |  7 +++++++
 4 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/policies/gh_org_ip_allowlist_enabled.rego b/policies/gh_org_ip_allowlist_enabled.rego
index 214c79e..9740847 100644
--- a/policies/gh_org_ip_allowlist_enabled.rego
+++ b/policies/gh_org_ip_allowlist_enabled.rego
@@ -37,7 +37,11 @@ risk_templates := [
   }
 ]
 
-_ip_allow_list := object.get(input, "ip_allow_list", [])
+_ip_allow_list := object.get(input, "ip_allow_list", null)
+
+skip_reason := "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" if {
+    _ip_allow_list == null
+}
 
 _has_active_entry if {
     some entry in _ip_allow_list
@@ -45,6 +49,7 @@ _has_active_entry if {
 }
 
 violation[{"id": "ip_allowlist_not_configured"}] if {
+    _ip_allow_list != null
     not _has_active_entry
 }
 
diff --git a/policies/gh_org_ip_allowlist_enabled_test.rego b/policies/gh_org_ip_allowlist_enabled_test.rego
index b5ce7a4..8202967 100644
--- a/policies/gh_org_ip_allowlist_enabled_test.rego
+++ b/policies/gh_org_ip_allowlist_enabled_test.rego
@@ -24,6 +24,16 @@ test_ip_allowlist_empty if {
     }
 }
 
-test_ip_allowlist_missing if {
-    count(violation) > 0 with input as {}
+test_ip_allowlist_null_skips if {
+    count(violation) == 0 with input as {
+        "ip_allow_list": null
+    }
+    skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {
+        "ip_allow_list": null
+    }
+}
+
+test_ip_allowlist_missing_skips if {
+    count(violation) == 0 with input as {}
+    skip_reason == "IP allow-list data is unavailable (collection may be disabled or token may lack permissions), cannot evaluate IP allow-list configuration" with input as {}
 }
diff --git a/policies/gh_org_sso_enabled.rego b/policies/gh_org_sso_enabled.rego
index 2874ace..b6f3873 100644
--- a/policies/gh_org_sso_enabled.rego
+++ b/policies/gh_org_sso_enabled.rego
@@ -43,7 +43,11 @@ risk_templates := [
   }
 ]
 
-_sso := object.get(input, "sso", {})
+_sso := object.get(input, "sso", null)
+
+skip_reason := "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" if {
+    _sso == null
+}
 
 _sso_enabled := object.get(_sso, "enabled", false)
 
diff --git a/policies/gh_org_sso_enabled_test.rego b/policies/gh_org_sso_enabled_test.rego
index d515987..15e5cd0 100644
--- a/policies/gh_org_sso_enabled_test.rego
+++ b/policies/gh_org_sso_enabled_test.rego
@@ -36,3 +36,10 @@ test_sso_enabled_but_not_enforced if {
 test_sso_missing if {
     count(violation) == 1 with input as {}
 }
+
+test_sso_null_with_skip_reason if {
+    skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status"
+    with input as {
+        "sso": null
+    }
+}

From 30a3ce97511cdf8bd57b1254f4267cbc03369743 Mon Sep 17 00:00:00 2001
From: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Date: Tue, 12 May 2026 11:38:26 -0300
Subject: [PATCH 2/2] fix: copilot issues

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
---
 policies/gh_org_sso_enabled.rego      | 13 +++++++++----
 policies/gh_org_sso_enabled_test.rego |  6 ++++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/policies/gh_org_sso_enabled.rego b/policies/gh_org_sso_enabled.rego
index b6f3873..0096f07 100644
--- a/policies/gh_org_sso_enabled.rego
+++ b/policies/gh_org_sso_enabled.rego
@@ -43,15 +43,19 @@ risk_templates := [
   }
 ]
 
-_sso := object.get(input, "sso", null)
+_sso := object.get(input, "sso", {})
 
 skip_reason := "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" if {
-    _sso == null
+    input.sso == null
 }
 
-_sso_enabled := object.get(_sso, "enabled", false)
+_sso_enabled := object.get(_sso, "enabled", false) if {
+    _sso != null
+}
 
-_sso_enforced := object.get(_sso, "enforced", false)
+_sso_enforced := object.get(_sso, "enforced", false) if {
+    _sso != null
+}
 
 _sso_enabled_and_enforced if {
     _sso_enabled
@@ -59,6 +63,7 @@ _sso_enabled_and_enforced if {
 }
 
 violation[{"id": "sso_not_enabled"}] if {
+    not skip_reason
     not _sso_enabled_and_enforced
 }
 
diff --git a/policies/gh_org_sso_enabled_test.rego b/policies/gh_org_sso_enabled_test.rego
index 15e5cd0..243cb9c 100644
--- a/policies/gh_org_sso_enabled_test.rego
+++ b/policies/gh_org_sso_enabled_test.rego
@@ -38,8 +38,10 @@ test_sso_missing if {
 }
 
 test_sso_null_with_skip_reason if {
-    skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status"
-    with input as {
+    skip_reason == "SSO configuration data is unavailable (token may lack permissions), cannot evaluate SSO enforcement status" with input as {
+        "sso": null
+    }
+    count(violation) == 0 with input as {
         "sso": null
     }
 }