@@ -316,21 +316,29 @@ func (e *Engine) check(ctx context.Context, path string, config interface{}, nam
316316 }
317317
318318 result , err := json .Marshal (ruleResult .Metadata )
319- localExcludeQuery := fmt .Sprintf ("data.%s.exclude_%s[_][_] = %s" , namespace , removeRulePrefix (rule ), result )
320- localExcludeQueryResult , err := e .query (ctx , config , localExcludeQuery )
321319 if err != nil {
322- return output.CheckResult {}, fmt .Errorf ("query exception : %w" , err )
320+ return output.CheckResult {}, fmt .Errorf ("json marshal : %w" , err )
323321 }
324322
325- // If the query was a failure, let's have a look & see if an exception was written for it .
326- if len ( localExcludeQueryResult . Results ) > 0 {
327- // append an exception & continue
328- localExcludeResult := localExcludeQueryResult . Results [ 0 ]
329- localExcludeResult . Message = localExcludeQuery
330- excludes = append ( excludes , localExcludeResult )
331- continue
332- }
323+ // If we have a non-null metadata response, then we are eligible to exclude the policy .
324+ // Otherwise we can just skip & process the policy violation
325+ if string ( result ) != "null" {
326+ localExcludeQuery := fmt . Sprintf ( "data.%s.exclude_%s[_][_] = %s" , namespace , removeRulePrefix ( rule ), result )
327+ localExcludeQueryResult , err := e . query ( ctx , config , localExcludeQuery )
328+ if err != nil {
329+ return output. CheckResult {}, fmt . Errorf ( "query exception: %w" , err )
330+ }
333331
332+ // If the query was a failure, let's have a look & see if an exception was written for it.
333+ if len (localExcludeQueryResult .Results ) > 0 {
334+ // append an exception & continue
335+ localExcludeResult := localExcludeQueryResult .Results [0 ]
336+ localExcludeResult .Message = localExcludeQuery
337+ excludes = append (excludes , localExcludeResult )
338+ continue
339+ }
340+
341+ }
334342 if isFailure (rule ) {
335343 failures = append (failures , ruleResult )
336344 } else {
0 commit comments