Add new flag to support skipping image signature checks

[simonbaird]

See commit messages for more explanation.

Ref: https://issues.redhat.com/browse/EC-1647

[qodo-code-review]

Review Summary by Qodo

Add flag to skip image signature validation checks

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Add --skip-image-sig-check flag to skip image signature validation
• Implement conditional image signature check based on flag setting
• Add comprehensive unit and acceptance tests for new functionality
• Update policy structures to support skip image signature option

Diagram

flowchart LR
  CLI["CLI Flag<br/>--skip-image-sig-check"]
  CMD["Command Handler<br/>cmd/validate/image.go"]
  POLICY["Policy Options<br/>SkipImageSigCheck"]
  VALIDATE["ValidateImage<br/>internal/image/validate.go"]
  RESULT["Conditional<br/>Image Sig Check"]
  
  CLI -->|"Sets flag"| CMD
  CMD -->|"Passes to Options"| POLICY
  POLICY -->|"Reads from SigstoreOpts"| VALIDATE
  VALIDATE -->|"Skips if enabled"| RESULT

Loading

File Changes

1. cmd/validate/image.go ✨ Enhancement +9/-4

Add CLI flag for skipping image signature checks

• Add skipImageSigCheck field to imageData struct
• Register new --skip-image-sig-check CLI flag with description
• Pass SkipImageSigCheck to policy Options during validation
• Align struct field formatting for consistency

cmd/validate/image.go

---

2. internal/image/validate.go ✨ Enhancement +4/-1

Implement conditional image signature validation logic

• Conditionally call ValidateImageSignature based on SkipImageSigCheck option
• Skip image signature check result when flag is enabled
• Attestation signature check always runs regardless of flag

internal/image/validate.go

---

3. internal/image/validate_test.go 🧪 Tests +137/-0

Add unit tests for skip image signature check feature

• Add comprehensive test TestValidateImageSkipImageSigCheck with two scenarios
• Test default behavior (skip disabled) and skip enabled behavior
• Verify image signature check is skipped when flag enabled
• Verify attestation signature check always runs
• Validate skipped checks don't appear in violations or successes

internal/image/validate_test.go

---

View more (5)

4. internal/policy/policy.go ✨ Enhancement +11/-6

Add skip image signature check to policy structures

• Add SkipImageSigCheck field to SigstoreOpts struct with JSON tag
• Add skipImageSigCheck field to internal policy struct
• Update Options struct to include SkipImageSigCheck field
• Populate SkipImageSigCheck in SigstoreOpts() method
• Set skipImageSigCheck in NewPolicy() function
• Align struct field formatting for consistency

internal/policy/policy.go

---

5. docs/modules/ROOT/pages/ec_validate_image.adoc 📝 Documentation +1/-0

Document skip image signature check flag

• Document new --skip-image-sig-check flag in command reference
• Specify default value as false
• Describe flag purpose as skipping image signature validation checks

docs/modules/ROOT/pages/ec_validate_image.adoc

---

6. features/validate_image.feature 🧪 Tests +58/-0

Add acceptance tests for skip image signature check

• Add acceptance test scenario "happy day with skip-image-sig-check flag"
• Add acceptance test scenario "invalid image signature with valid att sig and skip-image-sig-check
 flag"
• Test that validation passes when image signature is skipped
• Test that attestation signature check still runs when image check is skipped
• Verify flag works with both valid and invalid image signatures

features/validate_image.feature

---

7. go.sum Dependencies +0/-2

Update sigstore dependency version

• Update sigstore dependency from v1.10.3 to v1.10.4
• Remove old v1.10.3 entries and keep only v1.10.4

go.sum

---

8. acceptance/go.sum Dependencies +0/-2

Update sigstore dependency version

• Update sigstore dependency from v1.10.3 to v1.10.4
• Remove old v1.10.3 entries and keep only v1.10.4

acceptance/go.sum

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. SigstoreOpts() error ignored 📘 Rule violation ⛨ Security

Description

The new skip-logic silently disables image signature validation when p.SigstoreOpts() fails, even
if SkipImageSigCheck is not enabled. This creates an unhandled edge case where signature
verification may be bypassed without any error surfaced to the caller.

Code

internal/image/validate.go[R77-80]

+	// Skip image signature check if configured to do so
+	if sigstoreOpts, err := p.SigstoreOpts(); err == nil && !sigstoreOpts.SkipImageSigCheck {
+		out.SetImageSignatureCheckFromError(a.ValidateImageSignature(ctx))
+	}

Evidence

PR Compliance ID 3 requires handling failure points and avoiding silent failures; the added
conditional only runs ValidateImageSignature when SigstoreOpts() returns no error, otherwise it
skips the check without logging or returning an error.

Rule 3: Generic: Robust Error Handling and Edge Case Management
internal/image/validate.go[77-80]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`ValidateImage` currently skips `ValidateImageSignature` when `p.SigstoreOpts()` returns an error, which can silently bypass image signature verification.

## Issue Context
This bypass can occur even when `SkipImageSigCheck` is not set, because the condition is `err == nil && !sigstoreOpts.SkipImageSigCheck`. If `SigstoreOpts()` fails, there is no log, no returned error, and no explicit failed check recorded.

## Fix Focus Areas
- internal/image/validate.go[77-80]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Skip flag not audited 📘 Rule violation ✧ Quality

Description

The new SkipImageSigCheck bypass is not logged or recorded as an explicit “skipped” outcome,
reducing traceability of a security-relevant action. This makes it difficult to reconstruct whether
validation results were produced with signature verification disabled.

Code

internal/image/validate.go[R77-80]

+	// Skip image signature check if configured to do so
+	if sigstoreOpts, err := p.SigstoreOpts(); err == nil && !sigstoreOpts.SkipImageSigCheck {
+		out.SetImageSignatureCheckFromError(a.ValidateImageSignature(ctx))
+	}

Evidence

PR Compliance ID 1 requires critical security-relevant actions to be logged with clear context and
outcome; the added skip branch omits any audit log/event indicating the image signature check was
intentionally skipped.

Rule 1: Generic: Comprehensive Audit Trails
internal/image/validate.go[77-80]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
When image signature verification is skipped via `SkipImageSigCheck`, the code does not log or otherwise record that a critical validation step was bypassed.

## Issue Context
This flag changes the security posture of validation. Without an explicit log/event or a "skipped" status in results, it is hard to audit runs and understand why certain checks are missing.

## Fix Focus Areas
- internal/image/validate.go[77-80]
- cmd/validate/image.go[496-497]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.59% <100.00%> (+0.04%)	⬆️
generative	18.49% <0.00%> (-0.02%)	⬇️
integration	27.50% <50.00%> (+<0.01%)	⬆️
unit	68.44% <85.71%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
cmd/validate/image.go	91.32% <100.00%> (+0.06%)	⬆️
internal/image/validate.go	70.80% <100.00%> (+0.65%)	⬆️
internal/policy/policy.go	92.03% <100.00%> (+0.07%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[st3penta]

lgtm, just one nitpick

[simonbaird]

New revision to reverse bool check nitpick. No change otherwise.

[simonbaird]

The previous review is not considered current. I'll merge if someone gives a fresh approve.