Skip to content

chore: generate AWS compliance specs based on checks#179

Open
nikpivkin wants to merge 3 commits intoaquasecurity:mainfrom
nikpivkin:gen-specs
Open

chore: generate AWS compliance specs based on checks#179
nikpivkin wants to merge 3 commits intoaquasecurity:mainfrom
nikpivkin:gen-specs

Conversation

@nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jul 11, 2024
edited
Loading

The generation of compliance specifications will avoid errors when updating check metadata, as changes can only be made in checks.

Related PRs:

@nikpivkin nikpivkin force-pushed the gen-specs branch 3 times, most recently from 66e68f0 to 0609a3f Compare September 26, 2024 05:33
@nikpivkin nikpivkin marked this pull request as ready for review September 26, 2024 05:53
@nikpivkin nikpivkin requested a review from simar7 as a code owner September 26, 2024 05:53
@simar7
Copy link
Member

simar7 commented Jul 16, 2025

I think this is good! I have a couple of comments:

  1. We should verify the generated spec each time and if any changes are observed, fail the CI. You already have the verification part of this in the makefile, just need to add it as part of the CI workflow. This will be similar to running make docs.
  2. The first time we generate a compliance spec, we'll need to verify it manually as there might be checks which don't have the spec control metadata field in them which associates them with a particular compliance spec.

@nikpivkin
Copy link
Contributor Author

nikpivkin commented Jul 17, 2025

  1. We should verify the generated spec each time and if any changes are observed, fail the CI. You already have the verification part of this in the makefile, just need to add it as part of the CI workflow. This will be similar to running make docs.

Already added: https://github.com/aquasecurity/trivy-checks/pull/179/files#diff-d5c4c7c89806a5612ec9c3f57d1e659caf1bea380d7eea560a322a2028447fbcR1-R21

2. The first time we generate a compliance spec, we'll need to verify it manually as there might be checks which don't have the spec control metadata field in them which associates them with a particular compliance spec.

Agreed, the diff will make it easy to notice if any control goes missing.

@dependabot @nikpivkin
chore(deps): bump the common group across 1 directory with 7 updates (a…
5003e58 
…quasecurity#454)

Bumps the common group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws-cloudformation/rain](https://github.com/aws-cloudformation/rain) | `1.23.0` | `1.23.1` |
| [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) | `2.23.0` | `2.24.0` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.5.1` | `1.6.0` |
| [github.com/testcontainers/testcontainers-go](https://github.com/testcontainers/testcontainers-go) | `0.37.1-0.20250602105123-1720acdcb24e` | `0.38.0` |
| [github.com/testcontainers/testcontainers-go/modules/registry](https://github.com/testcontainers/testcontainers-go) | `0.37.0` | `0.38.0` |
| [golang.org/x/text](https://github.com/golang/text) | `0.26.0` | `0.27.0` |
| [mvdan.cc/sh/v3](https://github.com/mvdan/sh) | `3.11.0` | `3.12.0` |

Updates `github.com/aws-cloudformation/rain` from 1.23.0 to 1.23.1
- [Release notes](https://github.com/aws-cloudformation/rain/releases)
- [Commits](aws-cloudformation/rain@v1.23.0...v1.23.1)

Updates `github.com/hashicorp/hcl/v2` from 2.23.0 to 2.24.0
- [Release notes](https://github.com/hashicorp/hcl/releases)
- [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md)
- [Commits](hashicorp/hcl@v2.23.0...v2.24.0)

Updates `github.com/open-policy-agent/opa` from 1.5.1 to 1.6.0
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](open-policy-agent/opa@v1.5.1...v1.6.0)

Updates `github.com/testcontainers/testcontainers-go` from 0.37.1-0.20250602105123-1720acdcb24e to 0.38.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](https://github.com/testcontainers/testcontainers-go/commits/v0.38.0)

Updates `github.com/testcontainers/testcontainers-go/modules/registry` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/testcontainers/testcontainers-go/releases)
- [Commits](testcontainers/testcontainers-go@v0.37.0...v0.38.0)

Updates `golang.org/x/text` from 0.26.0 to 0.27.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.26.0...v0.27.0)

Updates `mvdan.cc/sh/v3` from 3.11.0 to 3.12.0
- [Release notes](https://github.com/mvdan/sh/releases)
- [Changelog](https://github.com/mvdan/sh/blob/master/CHANGELOG.md)
- [Commits](mvdan/sh@v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: github.com/aws-cloudformation/rain
  dependency-version: 1.23.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/hashicorp/hcl/v2
  dependency-version: 2.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/testcontainers/testcontainers-go
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/testcontainers/testcontainers-go/modules/registry
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: golang.org/x/text
  dependency-version: 0.27.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: mvdan.cc/sh/v3
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@nikpivkin
Copy link
Contributor Author

nikpivkin commented Jul 17, 2025

@simar7 Generating the remaining specifications will require a little more effort:

  • The remaining checks do not reference specifications, so their metadata needs to be updated.
  • For Kubernetes checks, commands need to be added to their metadata.

Should this be done in another PR?

@simar7
Copy link
Member

simar7 commented Jul 17, 2025

@simar7 Generating the remaining specifications will require a little more effort:

  • The remaining checks do not reference specifications, so their metadata needs to be updated.
  • For Kubernetes checks, commands need to be added to their metadata.

Should this be done in another PR?

Yeah I think we can do it in a separate PR.

@simar7
Copy link
Member

simar7 commented Jul 17, 2025

Let's merge this once the ID PRs have stabilized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nikpivkin @simar7