fix(score): use related object in RegoResponseVector scoring loop

[Sanchit2662]

So I was going through the score/score.go file in the opa-utils codebase and found a bug in the GetScore function. Basically, when a finding comes in as a RegoResponseVector (which is how a lot of Kubescape rules report results when multiple K8s resources are involved), the code loops over the related objects but never actually uses them. It was building the workload from the outer vector map v every single time, not from related[i]. So no matter how many replicas a Deployment had, or how many nodes a DaemonSet was running on, the score came out the same flat value. The replica multiplier and the DaemonSet node count logic were just... never firing for these findings.

I fixed it by making the loop actually use related[i].GetObject() to build the workload, and seeding processWorkload with defaultScore instead of the running accumulator. Small change, three lines basically, but now the scoring actually reflects the real blast radius of a finding instead of just returning 1.0 every time.

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where scoring calculations could be incorrect when processing multiple related objects. Scoring now correctly evaluates each object individually before determining the final result.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8e0fd70-9c8a-4ed0-8d23-f7340a564483

📥 Commits

Reviewing files that changed from the base of the PR and between 80426b3 and 49e98c2.

📒 Files selected for processing (1)

• score/score.go

---

📝 Walkthrough

Walkthrough

The GetScore function's handling of rego-response-vector related objects was corrected to compute per-object scores properly. The loop now extracts and validates each related object, builds the workload wrapper from that specific object, and scores it individually before aggregating via maximum across all related workloads.

Changes

Related Object Scoring Correction

Layer / File(s)	Summary
Per-object scoring for related workloads score/score.go	The loop over related objects now assigns obj := related[i].GetObject(), skips non-workload objects, constructs the workload wrapper from obj (instead of reusing input v), calls processWorkload with defaultScore and the extracted object, and merges scores via max32.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A rabbit hops through scoring loops so fine,
Each object now gets its own little line—
No more mixed maps in the workload brew,
Per-object scoring—now factually true! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main fix: correcting the RegoResponseVector scoring loop to use the related object instead of the outer vector map.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Sanchit2662]

Hey @matthyx , any update?