fix(posture-verify): honor $-refs in template_vars (double-quote semantics)

Andrew Dunnrequested to merge
fix/posture-verify-shell-expansion into main

Summary

Bug surfaced via kaniko's Phase B migration. Its claims declare:

template_vars:
  variants_all: ["\${KANIKO_VERSION}", "\${KANIKO_VERSION}-fips", ...]

and v2.0.0's posture-verify.py rendered them through shlex.quote, which single-quotes everything and prevents shell expansion. The literal string ${KANIKO_VERSION} reached cosign verify:

Error: could not parse reference: registry/X:${KANIKO_VERSION}

Fix

Replace shlex.quote with shell_double_quote, which wraps values in double quotes and escapes \, ", and ` only — leaving $ to expand against the verify subprocess's inherited environment.

Document the new contract in expand_template_vars docstring; consumers wanting a literal $ in a value use \$ in YAML.

Verified locally

With VER=v1.2.3 in env, template_vars: {variants: ["${VER}", "${VER}-fips"]} expands to [v1.2.3, v1.2.3-fips] in the verify subprocess.

Test plan

  • MR pipeline green (lint + syntax)
  • (Post-tag) kaniko !4 (merged) re-runs against posture-verify@v2.2.0 and all 8 claims pass (4 currently fail with this bug)

Merge request reports