From 2b18cd38bd82722681d17232faf9d3a3fbca9641 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:20:31 +0000
Subject: [PATCH 1/2] Initial plan


From 6861934b6e756d08980303b5d2c8f2993d2aee8e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:22:20 +0000
Subject: [PATCH 2/2] fix: change 'should' to 'must' in deny rule messages for
 consistency

Co-authored-by: stephenjtyrrell <22558892+stephenjtyrrell@users.noreply.github.com>
Agent-Logs-Url: https://github.com/stephenjtyrrell/dissertation/sessions/52bc0db4-3494-411e-997d-fa7f8baa4dd7
---
 policies/kubernetes/required-labels.rego | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policies/kubernetes/required-labels.rego b/policies/kubernetes/required-labels.rego
index 509345b..609d071 100644
--- a/policies/kubernetes/required-labels.rego
+++ b/policies/kubernetes/required-labels.rego
@@ -57,7 +57,7 @@ deny contains msg if {
   sc := object.get(container, "securityContext", {})
   readOnly := object.get(sc, "readOnlyRootFilesystem", false)
   readOnly != true
-  msg := sprintf("Deployment/%s: container '%s' should use read-only root filesystem", [obj.metadata.name, container.name])
+  msg := sprintf("Deployment/%s: container '%s' must use read-only root filesystem", [obj.metadata.name, container.name])
 }
 
 # Check for liveness and readiness probes
@@ -66,7 +66,7 @@ deny contains msg if {
   obj.kind == "Deployment"
   container := obj.spec.template.spec.containers[_]
   not container.livenessProbe
-  msg := sprintf("Deployment/%s: container '%s' should define a livenessProbe", [obj.metadata.name, container.name])
+  msg := sprintf("Deployment/%s: container '%s' must define a livenessProbe", [obj.metadata.name, container.name])
 }
 
 deny contains msg if {
@@ -74,5 +74,5 @@ deny contains msg if {
   obj.kind == "Deployment"
   container := obj.spec.template.spec.containers[_]
   not container.readinessProbe
-  msg := sprintf("Deployment/%s: container '%s' should define a readinessProbe", [obj.metadata.name, container.name])
+  msg := sprintf("Deployment/%s: container '%s' must define a readinessProbe", [obj.metadata.name, container.name])
 }