Policy: missing apm.yml silently skips all policy and baseline checks

[sergio-sisternes-epam]

Problem

When apm.yml is absent from a project, both run_policy_checks() and run_baseline_checks() return a fully-passing CIAuditResult with no checks appended. This means apm audit --ci exits 0 with no warnings.

This was identified by the supply-chain-security expert during the review panel for PR #1053 (which fixes the malformed YAML bypass, #936). The threat model is similar: an attacker with write access could delete apm.yml instead of malforming it, achieving the same policy bypass.

Current behaviour

• run_policy_checks(): if apm.yml doesn't exist, returns empty CIAuditResult (all-pass)
• run_baseline_checks() via _check_lockfile_exists(): if apm.yml doesn't exist, returns CheckResult(name="lockfile-exists", passed=True, message="No apm.yml found -- nothing to check")

Considerations

This is not identical to the malformed-YAML case:

• Many repos legitimately have no apm.yml (non-APM projects, fresh repos)
• Failing on missing apm.yml would break all non-APM projects that run apm audit --ci
• The original design intent appears to be: "no manifest = nothing to audit"

However, for repos that previously had an apm.yml, deletion is a bypass vector. Possible mitigations:

• Warn (but don't fail) when apm.yml is absent but .apm/ directory or apm.lock.yaml exists
• Org policy could require apm.yml presence (opt-in enforcement)
• Track apm.yml presence in lockfile metadata

Origin

Identified during APM Review Panel review of PR #1053 (fix for #936).

/cc @danielmeppiel

[github-actions]

Triage Panel -- Issue #1056

Title: Policy: missing apm.yml silently skips all policy and baseline checks
Decision: accept

---

[DevX UX Expert] -- User-Need Reviewer

User surface identified: apm audit --ci exit code and output.

When a CI pipeline runs apm audit --ci and the command exits 0 with no output, the natural developer reading of that result is "all checks passed". The current behavior -- "no manifest found, nothing to check, exit 0" -- silently conflates "checks passed" with "checks did not run". For a repo that previously adopted APM (evidenced by .apm/ or apm.lock.yaml on disk), this is a UX contract violation: the tool appears to succeed while providing zero assurance.

README-anchored capability: APM positions apm audit --ci as a policy enforcement gate. Silent pass on missing manifest undermines the core value proposition.

Finding: The warning-on-orphaned-artifacts heuristic (warn when apm.lock.yaml or .apm/ exists but apm.yml does not) is the correct UX balance. It does not break non-APM repos (no artifacts present = no signal = still silent pass) and surfaces the ambiguous state for APM-aware repos.

---

[Supply Chain Security Expert] -- Risk-Surface Reviewer

Risk surfaces assessed: area/audit-policy, lockfile presence detection, CI exit-code trust.

Threat model:

1. Attacker with write access to the repo deletes apm.yml.
2. CI pipeline runs apm audit --ci, which exits 0 with no warnings.
3. All policy checks and baseline checks (lockfile integrity, dependency governance) are bypassed without any signal to reviewers or maintainers.

This is structurally identical to the malformed-YAML bypass fixed in PR #1053 / issue #936 -- same entry point, same silent-success outcome, different mechanism. The prerequisite (write access) is non-trivial but not prohibitive in repos with multiple contributors or compromised accounts.

Severity: Medium-High. The bypass is silent and persistent across CI runs until someone manually notices the missing file.

Recommended mitigation: The orphaned-artifacts heuristic closes this vector with minimal blast radius. Specifically: if apm.lock.yaml or .apm/ is present but apm.yml is absent, emit a failing CheckResult (or at minimum a non-zero exit) rather than a clean pass.

theme/security confirmed: This is a policy-bypass issue with direct supply-chain audit implications.

---

[Python Architect] -- Architecture Reviewer

Activation: YES -- the issue proposes mitigation strategies that require a design choice across run_policy_checks() and run_baseline_checks().

Feasibility of proposed mitigations:

1. Warning on orphaned artifacts (recommended for immediate fix): Low complexity. In the early-return path of run_policy_checks() and run_baseline_checks(), after confirming apm.yml is absent, check for apm.lock.yaml or .apm/ directory. If found, append a failing CheckResult with an explicit message instead of returning empty/passing results. No schema changes required.

2. Org policy requiring apm.yml presence (separate feature): Requires a new policy key in apm.yml or apm-policy.yml schema -- out of scope for this bug fix.

3. Track apm.yml presence in lockfile metadata (separate feature): Requires lockfile schema addition -- also out of scope.

Cross-cutting impact: The immediate fix is isolated to the audit module. No interface changes, no schema migrations, no breaking changes.

Recommendation: Accept as type/bug with the orphaned-artifacts heuristic as the prescribed fix. Options 2 and 3 should be filed as separate type/feature issues if maintainers want to pursue them.

---

[APM CEO] -- Triage Arbiter

OSS Growth Hacker inactive reason: Author is a COLLABORATOR with established project context; tone tuning for new contributors is not applicable here.

Doc Writer inactive reason: The fix is a behavioral change to audit exit logic; no new CLI flags, no new user-facing concepts, and the existing apm audit documentation does not need new pages for a bugfix. Minor inline note in CHANGELOG suffices.

Arbitration:

The three active lenses converge cleanly. This is a genuine security bypass, clearly scoped to the audit module, with a prescribed fix that requires no schema changes and no breaking behavior for non-APM repos. The issue was identified via the review panel process for a related fix -- exactly the kind of follow-on hardening APM should embrace.

Decision: accept
Milestone: No open milestones are currently available in the repository; milestone assignment deferred to maintainer. The fix is a patch-level bug fix and should land in the next available patch release.

Suggested next action for @sergio-sisternes-epam: A PR implementing the orphaned-artifacts heuristic in run_policy_checks() and run_baseline_checks() would be a straightforward and high-value contribution. The fix should add a failing CheckResult (not merely a warning log) so that CI pipelines exit non-zero on detection. A corresponding unit test covering the "apm.lock.yaml present, apm.yml absent" scenario would complete the change.

---

Proposed label set:

• theme/security -- audit policy bypass with supply-chain implications
• area/audit-policy -- fix lives in the audit policy module
• type/bug -- silent pass is incorrect behavior
• priority/high -- security bypass with no current mitigation
• status/triaged (replaces status/needs-triage)

Milestone: Deferred (no open milestone available; maintainer to assign when patch release is opened).

---

Triage status: agentic proposal pending human ratification.
Silence is approval. Maintainers can:

• Override any label or milestone above by editing it directly --
  human edits are authoritative and will not be reverted on
  subsequent runs.
• Re-trigger triage by applying the status/needs-triage label, or
  by removing status/triaged to enroll the issue in the next
  daily sweep.

Posted by the Triage Panel workflow. See .apm/skills/apm-triage-panel for the panel skill.

Generated by Triage Panel for issue #1056 · ● 705.5K · ◷