search

aws-cloudformation / aws-guard-rules-registry

Rules Registry for Compliance Frameworks
Apache License 2.0
107 stars 22 forks source link

(mappings): Create an "all rules" .guard file #208

Closed benbridts closed 2 years ago

benbridts commented 2 years ago

Description

It would be nice to have a .guard file in the release zip that includes all existing rules exactly once.

Use Case

While writing code, a developer might want to know about best practices and controls that exist, even if they are not being enforced in their pipeline. Currently they could run something like

cfn-guard validate --rules guard-rules/ --data  template.yaml | grep 'FAIL$'

But this leads to a lot of duplicate output:

cfn-guard validate --rules ~/tmp/guard-rules-tmp/ --data use-case/monitored-storage/template.yaml | grep '/.*FAIL$' | wc -l
     310

This is solvable with some scripting, but it would be nice to have this build in

cfn-guard validate --rules ~/tmp/guard-rules-tmp/ --data use-case/monitored-storage/template.yaml | grep '/.*FAIL$' | cut -d '/' -f2 | grep --only-matching -E '^\w+' | sort -u | wc -l
       8

In this example 8 misconfigurations caused 310 failing rules, it would be nice if this only caused 8 failures

Proposed Solution

build.py could recurse through the rules directory and create an _all-rules.guard file.

Other information

A similar approach could generate a documentation page with all the rules and their description

Acknowledge

grolston commented 2 years ago

This can be accomplished in two ways:

  1. We build the functionality in the build.py to conduct this process having the custom message state a default message for controls and compliance framework
  2. Create a mapping file that just entails them all.

As the mapping file would need to be update every time someone contributes a new rule, there would be a potential it is not updated and thus not accurate. I would think option 1 may be the best case for this.

As for the defaults values in the message, we could use the release version for the compliance framework.

grolston commented 2 years ago

build.py will create a single rule set that includes all rule files. Additionally this file will have a reportsOn attribute in the json file which builds the rule set.

cc @brianterry

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.