Skip to content

Add support for violations (alerts) management tools#153

Open
shaneboulden wants to merge 2 commits into
stackrox:mainfrom
shaneboulden:violations
Open

Add support for violations (alerts) management tools#153
shaneboulden wants to merge 2 commits into
stackrox:mainfrom
shaneboulden:violations

Conversation

@shaneboulden

Copy link
Copy Markdown

Description

Adds support for listing violations data. Note that this change also exports ResolveClusterID from a shared location.

Validation

Tested with Claude Code (Opus 4.6) and RHACS 4.11:

❯ List the last 10 violations for stackrox secured clusters                                                                                                                                     

  Thought for 6s, called stackrox-mcp (ctrl+o to expand)

● Here are the 10 most recent violations on local-cluster:
 
  ┌─────┬─────────────────────┬──────────┬───────────────────────────────────────────────────┬──────────────────┬───────────┬─────────┐
  │  #  │     Time (UTC)      │ Severity │                      Policy                       │    Deployment    │ Namespace │  Stage  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 1   │ 2026-07-16 11:45:15 │ MEDIUM   │ OpenShift: Central Admin Secret Accessed          │ central-htpasswd │ stackrox  │ RUNTIME │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤                                     
  │ 2   │ 2026-07-16 09:40:59 │ LOW      │ Docker CIS 4.1: Ensure User for Container Created │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 3   │ 2026-07-16 09:40:59 │ MEDIUM   │ Pod Service Account Token Automatically Mounted   │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 4   │ 2026-07-16 09:40:59 │ MEDIUM   │ No CPU request or memory limit specified          │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 5   │ 2026-07-16 09:40:59 │ MEDIUM   │ Container with privilege escalation allowed       │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 6   │ 2026-07-16 09:40:59 │ HIGH     │ Fixable Severity at least Important               │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 7   │ 2026-07-16 09:40:59 │ LOW      │ 90-Day Image Age                                  │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 8   │ 2026-07-16 09:40:59 │ LOW      │ Red Hat Package Manager in Image                  │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 9   │ 2026-07-16 09:40:59 │ LOW      │ Ubuntu Package Manager in Image                   │ leaderboard      │ tailspin  │ DEPLOY  │
  ├─────┼─────────────────────┼──────────┼───────────────────────────────────────────────────┼──────────────────┼───────────┼─────────┤
  │ 10  │ 2026-07-16 09:40:59 │ LOW      │ Latest tag                                        │ leaderboard      │ tailspin  │ DEPLOY  │
  └─────┴─────────────────────┴──────────┴───────────────────────────────────────────────────┴──────────────────┴───────────┴─────────┘

  Notable findings:
  - The most recent violation is a runtime alert for the Central admin secret being accessed in the stackrox namespace.
  - The leaderboard deployment in tailspin namespace has 9 violations including a HIGH severity one for fixable vulnerabilities with severity "Important" or above.
  - All violations are ACTIVE state on the single secured cluster local-cluster.

✻ Worked for 20s

@shaneboulden shaneboulden requested a review from janisz as a code owner July 16, 2026 12:00
@shaneboulden shaneboulden changed the title Violations Add support for violations (alerts) management tools Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added an optional violations toolset for listing policy violations.
    • Added filters for cluster, namespace, policy, severity, state, and pagination.
    • Included violation details such as policy information, lifecycle stage, status, timestamps, and affected resources.
    • Added support for resolving clusters by ID or name.
  • Configuration

    • Added configuration options to enable or disable the violations toolset.
    • Updated validation to allow violations as an enabled tool option.

Walkthrough

Adds a configurable violations toolset with a read-only list_violations MCP tool, including filtering, pagination, alert mapping, and cluster resolution. Cluster resolution is shared with existing vulnerability tools.

Changes

Violations toolset and cluster resolution

Layer / File(s) Summary
Shared cluster ID resolution
internal/cluster/*, internal/toolsets/vulnerability/*
Exports shared cluster ID resolution, updates its tests, and switches vulnerability tools to use it.
Violations configuration and toolset lifecycle
internal/config/config.go, internal/toolsets/violations/toolset.go, examples/config-read-only.yaml
Adds violations configuration, defaults, validation, example enablement, and toolset lifecycle methods.
Violation listing request and response flow
internal/toolsets/violations/tools.go
Adds the read-only list_violations tool with filters, cursor pagination, alert retrieval, and mapped results.
Server toolset registration
internal/app/app.go
Registers the violations toolset in the application toolset registry.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant MCPServer
  participant listViolationsTool
  participant cluster.ResolveClusterID
  participant StackRoxAPI
  MCPServer->>listViolationsTool: list_violations request
  listViolationsTool->>cluster.ResolveClusterID: resolve cluster ID or name
  cluster.ResolveClusterID->>StackRoxAPI: GetClusters by name
  listViolationsTool->>StackRoxAPI: ListAlerts with filters and pagination
  StackRoxAPI-->>listViolationsTool: alert results
  listViolationsTool-->>MCPServer: ViolationResult page and nextCursor
Loading

Suggested reviewers: janisz

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is related to the main change, but it is too vague to clearly summarize the PR. Use a more specific title like "Add violations listing support" to reflect the main change.
✅ Passed checks (4 passed)
Check name Status Explanation
Description check ✅ Passed The description matches the implemented changes, including violations listing and the shared ResolveClusterID export.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/cluster/resolver.go`:
- Around line 12-14: Update ResolveClusterID to wrap failures from the
GetClusters API call with client.NewError before returning them, while
preserving the existing not-found behavior and successful cluster ID resolution.
Ensure every error propagated by this exported resolver follows the user-facing
client error mapping.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 545aa2c1-daa6-4778-a962-6a584471c58e

📥 Commits

Reviewing files that changed from the base of the PR and between 48edc39 and da3c0dc.

📒 Files selected for processing (10)
  • examples/config-read-only.yaml
  • internal/app/app.go
  • internal/cluster/resolver.go
  • internal/cluster/resolver_test.go
  • internal/config/config.go
  • internal/toolsets/violations/tools.go
  • internal/toolsets/violations/toolset.go
  • internal/toolsets/vulnerability/clusters.go
  • internal/toolsets/vulnerability/deployments.go
  • internal/toolsets/vulnerability/nodes.go

Comment on lines +12 to +14
// ResolveClusterID resolves a cluster name to its ID.
// Returns error if cluster name is not found or if API call fails.
func resolveClusterID(ctx context.Context, conn *grpc.ClientConn,
func ResolveClusterID(ctx context.Context, conn *grpc.ClientConn,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Convert cluster API failures with client.NewError.

The exported resolver returns the raw GetClusters gRPC error through every consuming MCP handler, potentially exposing backend details and bypassing consistent error mapping.

Proposed fix
 import (
+	"github.com/stackrox/stackrox-mcp/internal/client"
 )

 // ...

 	if err != nil {
-		return "", fmt.Errorf("failed to fetch clusters: %w", err)
+		return "", client.NewError(err, "GetClusters")
 	}

As per path instructions, Go MCP server code requires “Proper error wrapping with client.NewError for user-facing errors.”

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/cluster/resolver.go` around lines 12 - 14, Update ResolveClusterID
to wrap failures from the GetClusters API call with client.NewError before
returning them, while preserving the existing not-found behavior and successful
cluster ID resolution. Ensure every error propagated by this exported resolver
follows the user-facing client error mapping.

Source: Path instructions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant