Responsibles¶

The Responsibles extension determines component ownership based on configurable rules. It assigns responsible teams or individuals to findings, enabling proper routing of security and compliance issues.

Configuration Example¶

responsibles:
  interval: 43200                    # 12 hours
  rules:
    # Rule 1: Frontend team owns all frontend components
    - name: frontend-team-ownership
      assignee_mode: overwrite
      filters:
        - type: component-filter
          include_component_names:
            - "acme.org/frontend/.*"
          exclude_component_names: []
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/frontend-team

    # Rule 2: Security team owns all vulnerability findings
    - name: security-team-vulnerabilities
      assignee_mode: extend
      filters:
        - type: datatype-filter
          include_types:
            - "finding/vulnerability"
          exclude_types: []
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/security-team

    # Rule 3: Platform team owns container images
    - name: platform-team-containers
      assignee_mode: overwrite
      filters:
        - type: artefact-filter
          include_artefact_types:
            - "ociImage"
          exclude_artefact_types: []
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/platform-team

    # Rule 4: Fallback to component-defined responsibles
    - name: default-component-responsibles
      assignee_mode: null
      filters:
        - type: match-all
      strategies:
        - type: component-responsibles

Top-Level Options¶

Option

Type

Default

Description

interval

int (seconds)

43200

Maximum time before component responsibles are re-determined.

rules

list

[]

Responsibility assignment rules. See rule fields below.

Rule Fields¶

Each entry in the rules list supports:

Option

Type

Required

Description

name

string

no

Rule name for logging and debugging purposes.

assignee_mode

string

no

How to handle existing GitHub issue assignees. Options: null, extend, overwrite, skip.

filters

list

yes

Conditions that must match for this rule to apply.

strategies

list

yes

How to determine responsibles when filters match.

Filter Types¶

Filters determine when a rule applies. Multiple filters are combined with AND logic.

match-all Filter¶

Matches everything (useful for fallback rules):

filters:
  - type: match-all

component-filter Filter¶

Matches based on component name:

filters:
  - type: component-filter
    include_component_names:
      - "acme.org/.*"              # Regex: all acme.org components
      - "example.com/product-a"    # Specific component
    exclude_component_names:
      - "acme.org/deprecated/.*"   # Exclude deprecated components

artefact-filter Filter¶

Matches based on artefact properties:

filters:
  - type: artefact-filter
    include_artefact_names:
      - "my-service"
    exclude_artefact_names: []
    include_artefact_types:
      - "ociImage"                 # Container images
      - "helm"                     # Helm charts
    exclude_artefact_types: []
    include_artefact_kinds:
      - "source"                   # Source code artefacts
    exclude_artefact_kinds: []

datatype-filter Filter¶

Matches based on finding type:

filters:
  - type: datatype-filter
    include_types:
      - "finding/vulnerability"
      - "finding/malware"
    exclude_types:
      - "finding/license"          # License issues handled separately

Strategy Types¶

Strategies determine how responsibles are assigned when filters match.

component-responsibles Strategy¶

Use responsibles defined in the component metadata via the delivery-service API:

strategies:
  - type: component-responsibles

Use case: Components define their own ownership in OCM metadata

static-responsibles Strategy¶

Explicitly define responsibles in the rule:

strategies:
  - type: static-responsibles
    responsibles:
      - type: githubTeam
        github_hostname: github.com
        teamname: acme-org/backend-team
      - type: githubUser
        github_hostname: github.com
        username: security-lead

Responsible Types¶

GitHub Team¶

Assign responsibility to all members of a GitHub team:

- type: githubTeam
  github_hostname: github.com
  teamname: org-name/team-slug      # Format: organization/team-slug

Example:

- type: githubTeam
  github_hostname: github.com
  teamname: acme-org/frontend-engineers

GitHub User¶

Assign responsibility to a specific GitHub user:

- type: githubUser
  github_hostname: github.com
  username: john-doe

Use case: Individual ownership for critical components or specialized findings

Assignee Modes¶

Controls how determined responsibles interact with existing GitHub issue assignees:

Mode

Behaviour

null

Use the default mode from finding configuration (findings[].issues.default_assignee_mode).

extend

Add determined responsibles to existing issue assignees (union).

overwrite

Replace all existing assignees with determined responsibles.

skip

Don’t modify issue assignees (responsibles tracked in ODG only).

Configuration Details¶

Finding-Type-Based Assignment¶

Route findings by severity or type:

responsibles:
  interval: 43200
  rules:
    # Critical vulnerabilities go to security team
    - name: critical-vulns-to-security
      assignee_mode: extend           # Add security team to existing owners
      filters:
        - type: datatype-filter
          include_types: ["finding/vulnerability"]
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/security-team

    # Malware findings go to security team exclusively
    - name: malware-to-security
      assignee_mode: overwrite        # Security team takes full ownership
      filters:
        - type: datatype-filter
          include_types: ["finding/malware"]
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/security-team

Artefact-Type-Based Assignment¶

Route based on what’s being scanned:

responsibles:
  interval: 43200
  rules:
    # Container images owned by platform team
    - name: containers-to-platform
      assignee_mode: overwrite
      filters:
        - type: artefact-filter
          include_artefact_types: ["ociImage"]
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/platform-team

    # Helm charts owned by release team
    - name: helm-to-release
      assignee_mode: overwrite
      filters:
        - type: artefact-filter
          include_artefact_types: ["helm"]
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/release-team

Hybrid: Static + Dynamic¶

Combine static rules with component-defined ownership:

responsibles:
  interval: 43200
  rules:
    # Security team always involved in vulnerabilities
    - name: security-oversight
      assignee_mode: extend           # Add to component-defined owners
      filters:
        - type: datatype-filter
          include_types: ["finding/vulnerability", "finding/malware"]
      strategies:
        - type: static-responsibles
          responsibles:
            - type: githubTeam
              github_hostname: github.com
              teamname: acme-org/security-team

    # Everything else uses component-defined ownership
    - name: component-default
      assignee_mode: null
      filters:
        - type: match-all
      strategies:
        - type: component-responsibles