Skip to content

chore: generate AWS compliance specs based on checks #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: generate AWS compliance specs based on checks #179

wants to merge 3 commits into from

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jul 11, 2024
edited
Loading

The generation of compliance specifications will avoid errors when updating check metadata, as changes can only be made in checks.

Related PRs:

@nikpivkin nikpivkin force-pushed the gen-specs branch 3 times, most recently from 66e68f0 to 0609a3f Compare September 26, 2024 05:33
@nikpivkin nikpivkin marked this pull request as ready for review September 26, 2024 05:53
@nikpivkin nikpivkin requested a review from simar7 as a code owner September 26, 2024 05:53
@simar7
Copy link
Member

simar7 commented Jul 16, 2025

I think this is good! I have a couple of comments:

  1. We should verify the generated spec each time and if any changes are observed, fail the CI. You already have the verification part of this in the makefile, just need to add it as part of the CI workflow. This will be similar to running make docs.
  2. The first time we generate a compliance spec, we'll need to verify it manually as there might be checks which don't have the spec control metadata field in them which associates them with a particular compliance spec.

@nikpivkin
Copy link
Contributor Author

  1. We should verify the generated spec each time and if any changes are observed, fail the CI. You already have the verification part of this in the makefile, just need to add it as part of the CI workflow. This will be similar to running make docs.

Already added: https://github.com/aquasecurity/trivy-checks/pull/179/files#diff-d5c4c7c89806a5612ec9c3f57d1e659caf1bea380d7eea560a322a2028447fbcR1-R21

2. The first time we generate a compliance spec, we'll need to verify it manually as there might be checks which don't have the spec control metadata field in them which associates them with a particular compliance spec.

Agreed, the diff will make it easy to notice if any control goes missing.

@dependabot @nikpivkin
chore(deps): bump the common group across 1 directory with 7 updates (a…
5003e58 
…quasecurity#454)

Bumps the common group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws-cloudformation/rain](https://github.com/aws-cloudformation/rain) | `1.23.0` | `1.23.1` |
| [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) | `2.23.0` | `2.24.0` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.5.1` | `1.6.0` |
| [github.com/testcontainers/testcontainers-go](https://github.com/testcontainers/testcontainers-go) | `0.37.1-0.20250602105123-1720acdcb24e` | `0.38.0` |
| [github.com/testcontainers/testcontainers-go/modules/registry](https://github.com/testcontainers/testcontainers-go) | `0.37.0` | `0.38.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.26.0` | `0.27.0` |
| [mvdan.cc/sh/v3](https://github.com/mvdan/sh) | `3.11.0` | `3.12.0` |

Updates `github.com/aws-cloudformation/rain` from 1.23.0 to 1.23.1
- [Release notes](https://github.com/aws-cloudformation/rain/releases)
- [Commits](aws-cloudformation/rain@v1.23.0...v1.23.1)

Updates `github.com/hashicorp/hcl/v2` from 2.23.0 to 2.24.0
- [Release notes](https://github.com/hashicorp/hcl/releases)
- [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md)
- [Commits](hashicorp/hcl@v2.23.0...v2.24.0)

Updates `github.com/open-policy-agent/opa` from 1.5.1 to 1.6.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.5.1...v1.6.0)

Updates `github.com/testcontainers/testcontainers-go` from 0.37.1-0.20250602105123-1720acdcb24e to 0.38.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](https://github.com/testcontainers/testcontainers-go/commits/v0.38.0)

Updates `github.com/testcontainers/testcontainers-go/modules/registry` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](testcontainers/testcontainers-go@v0.37.0...v0.38.0)

Updates `golang.org/x/text` from 0.26.0 to 0.27.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.26.0...v0.27.0)

Updates `mvdan.cc/sh/v3` from 3.11.0 to 3.12.0
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](mvdan/sh@v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: github.com/aws-cloudformation/rain
  dependency-version: 1.23.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/hashicorp/hcl/v2
  dependency-version: 2.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/testcontainers/testcontainers-go
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/testcontainers/testcontainers-go/modules/registry
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: golang.org/x/text
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: mvdan.cc/sh/v3
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@nikpivkin
Copy link
Contributor Author

@simar7 Generating the remaining specifications will require a little more effort:

  • The remaining checks do not reference specifications, so their metadata needs to be updated.
  • For Kubernetes checks, commands need to be added to their metadata.

Should this be done in another PR?

@simar7
Copy link
Member

simar7 commented Jul 17, 2025

@simar7 Generating the remaining specifications will require a little more effort:

  • The remaining checks do not reference specifications, so their metadata needs to be updated.
  • For Kubernetes checks, commands need to be added to their metadata.

Should this be done in another PR?

Yeah I think we can do it in a separate PR.

@simar7
Copy link
Member

simar7 commented Jul 17, 2025

Let's merge this once the ID PRs have stabilized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nikpivkin @simar7