Allow pulling rules from non-local sources

[matthchr]

Either via just plain old HTTP(S) file queries or possibly via ORAS with something like https://github.com/opcr-io/policy - or possibly we could support both.

The advantage of this would be that we could define a set of common requirements for:

• Security
• best practices for running on AKS
• etc

and then reuse them in different contexts. Main wins of reuse are for other projects like extensions that might run a subset of AKS linters but benefit from updates to the core security linters (rather than duplicate)

[matthchr]

In terms of doing this, if we wanted to support something like go does for mod (where you can pull from git repos based on tag), we could look at what go does, which involves pulling a zip of the repo at a given hash and then hashing that zip for caching purposes:

• https://github.com/golang/go/blob/master/src/cmd/go/internal/vcs/vcs.go#L1519
• https://github.com/golang/go/blob/master/src/cmd/go/internal/vcs/vcs.go#L243
• https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/fetch.go#L175
• https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/coderepo.go#L1058
• https://github.com/golang/go/blob/master/src/cmd/go/internal/modfetch/codehost/git.go#L850

Alternatively we could use the GitHub API, if we only wanted to support GitHub (which seems unlikely to me, but might be simple):

• https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#get-repository-content