diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 338bdce20a..050af174e8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ repos: name: OPA fmt description: Formats Rego policy using opa fmt entry: opa fmt - args: [ -w ] + args: [-w] language: system files: (\.rego)$ @@ -13,7 +13,7 @@ repos: name: OPA check description: Check syntax of staged Rego files entry: opa check - args: [ -S, './bundle/compliance' ] + args: [-S, "./bundle/compliance"] pass_filenames: false language: system files: (\.rego)$ @@ -22,24 +22,27 @@ repos: name: OPA test description: Runs OPA unit tests on rego source files entry: opa test - args: [ -b, './bundle' ] + args: [-b, "./bundle"] pass_filenames: false language: system - id: update-rules-status name: Update rules status description: Update rules status in rules_table.md - entry: python3 ./dev/update_rule_status.py + require_serial: true + entry: poetry run python ./dev/update_rule_status.py language: system - repo: https://github.com/igorshubovych/markdownlint-cli rev: v0.32.2 hooks: - id: markdownlint - args: [ '--disable', - MD013, # Line length can be ignored for now - MD033, # Allow inline HTML - MD046, # Allow code blocks to be fenced with backticks - MD041, # Allow multiple top level headers - '--' ] - files: \.(md|markdown)$ \ No newline at end of file + args: [ + "--disable", + MD013, # Line length can be ignored for now + MD033, # Allow inline HTML + MD046, # Allow code blocks to be fenced with backticks + MD041, # Allow multiple top level headers + "--", + ] + files: \.(md|markdown)$ diff --git a/README.md b/README.md index 4a8d49dfd6..fc5afede5e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ ![Coverage Badge](https://img.shields.io/endpoint?url=https://gist.githubusercontent.com/oren-zohar/a7160df46e48dff45b24096de9302d38/raw/csp-security-policies_coverage.json)
-Project structure +Project structure . ├── bundle @@ -44,17 +44,13 @@ **`input.json`** -should contain a beat/agent output and the `activated_rules` (not mandatory - without specifying rules all rules will -apply), e.g. filesystem data +should contain a beat/agent output and the `benchmark` (not mandatory - without specifying benchmark all benchmarks will +apply), e.g. k8s eks aws ```json { "type": "file", - "activated_rules": { - "cis_k8s": [ - "cis_1_1_1" - ] - }, + "benchmark": "cis_k8s", "sub_type": "file", "resource": { "mode": "700", @@ -83,7 +79,7 @@ opa eval data.main.findings --format pretty -i input.json -b ./bundle > output.j
Example output -```json +````json { "result": { "evaluation": "failed", @@ -120,7 +116,7 @@ opa eval data.main.findings --format pretty -i input.json -b ./bundle > output.j "version": "1.0" } } -``` +````
diff --git a/bundle/compliance/main.rego b/bundle/compliance/main.rego index 97b63c827c..fe1c3743ec 100644 --- a/bundle/compliance/main.rego +++ b/bundle/compliance/main.rego @@ -8,15 +8,13 @@ import data.compliance.lib.common resource = input.resource findings = f { - input.activated_rules + input.benchmark - # iterate over activated benchmarks - benchmarks := [key | input.activated_rules[key]] + # iterate over activated benchmark rules + benchmark := input.benchmark - # aggregate findings from activated benchmarks + # aggregate findings from activated benchmark f := {finding | - benchmark := benchmarks[_] - rule := input.activated_rules[benchmark][_] result := compliance[benchmark].rules[rule].finding with data.benchmark_data_adapter as compliance[benchmark].data_adapter finding = { "result": result, @@ -26,7 +24,7 @@ findings = f { } findings = f { - not input.activated_rules + not input.benchmark # aggregate findings from all benchmarks f := {finding |