From de76f136de3c200691451797b804e2cfc7ef5168 Mon Sep 17 00:00:00 2001
From: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Date: Fri, 12 Dec 2025 14:44:32 -0300
Subject: [PATCH] fix: sbom gathering should continue on errors

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
---
 main.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/main.go b/main.go
index e1e950b..cb6860f 100644
--- a/main.go
+++ b/main.go
@@ -450,6 +450,11 @@ func (l *GithubReposPlugin) GetRequiredStatusChecks(ctx context.Context, repo *g
 func (l *GithubReposPlugin) GatherSBOM(ctx context.Context, repo *github.Repository) (*github.SBOM, error) {
 	sbom, _, err := l.githubClient.DependencyGraph.GetSBOM(ctx, repo.GetOwner().GetLogin(), repo.GetName())
 	if err != nil {
+		// Permissions errors should be treated as safe here
+		// The policy will fail anyways if no sbom exists.
+		if isPermissionError(err) {
+			return nil, nil
+		}
 		return nil, err
 	}
 	return sbom, nil
@@ -612,6 +617,24 @@ func (l *GithubReposPlugin) EvaluatePolicies(ctx context.Context, data *Saturate
 	return evidences, accumulatedErrors
 }
 
+// isPermissionError returns true if the error from the GitHub client indicates
+// a permissions or visibility issue (e.g., 401/403/404).
+func isPermissionError(err error) bool {
+	if err == nil {
+		return false
+	}
+	var ger *github.ErrorResponse
+	if errors.As(err, &ger) {
+		if ger.Response != nil {
+			switch ger.Response.StatusCode {
+			case 401, 403, 404:
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func main() {
 	logger := hclog.New(&hclog.LoggerOptions{
 		Level:      hclog.Debug,