Clean syncs should only optionally remove transitive rules
mlw opened this issue · comments
Matt W commented
Currently, when a clean sync is performed all rules in the local rules database are first deleted before adding the newly downloaded rules. This means that any transitive rules in the database are also removed which causes issues for deployments using compiler rules.
This behavior should be changed so that by default only non-transitive rules are deleted.
The following changes will be required (though likely not an exhaustive list):
santactl sync --clean
will only remove non-transitive rules.- A new flag will be added to
santactl sync
to force the current behavior of removing all rules - A new key will be supported in the Preflight request to differentiate the new clean method
- A new key will be supported in the Preflight response indicating the type of sync the server is expecting to perform