ComplianceAsCode · Vincent056 · Oct 2, 2024
diff --git a/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml b/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml
@@ -41,6 +41,9 @@ spec:
           description:
             description: A human-readable check description, what and why it does
             type: string
+          errorMessage:
+            description: The ErrorMessage of the rule evaluation
+            type: string
           id:
             description: A unique identifier of a check
             type: string

diff --git a/bundle/manifests/compliance.openshift.io_compliancescans.yaml b/bundle/manifests/compliance.openshift.io_compliancescans.yaml
@@ -266,6 +266,12 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scanner:
+                default: OpenSCAP
+                description: |-
+                  Scanner is the type of scanner that should be used to evaluate this rule
+                  Defaults to OpenSCAP
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

diff --git a/bundle/manifests/compliance.openshift.io_compliancesuites.yaml b/bundle/manifests/compliance.openshift.io_compliancesuites.yaml
@@ -285,6 +285,12 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scanner:
+                      default: OpenSCAP
+                      description: |-
+                        Scanner is the type of scanner that should be used to evaluate this rule
+                        Defaults to OpenSCAP
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

diff --git a/bundle/manifests/compliance.openshift.io_rules.yaml b/bundle/manifests/compliance.openshift.io_rules.yaml
@@ -58,9 +58,63 @@ spec:
           description:
             description: The description of the Rule
             type: string
+          evaluations:
+            description: |-
+              Evaluations is the list of CEL expressions that will be used
+              to evaluate the rule
+            items:
+              properties:
+                errorMessage:
+                  description: Error message to be displayed if the evaluation fails
+                  type: string
+                expression:
+                  description: The CEL expression to be evaluated
+                  type: string
+              required:
+              - expression
+              type: object
+            nullable: true
+            type: array
+            x-kubernetes-list-type: atomic
           id:
             description: The XCCDF ID
             type: string
+          inputs:
+            description: Inputs represent the input parameters for the CEL expression
+            items:
+              description: InputPayload defines the structure for the inputs used
+                in the CEL expression
+              properties:
+                kubeResource:
+                  description: The kubernetes resource that will be used as input
+                  nullable: true
+                  properties:
+                    apiGroup:
+                      description: The API group of the resource
+                      type: string
+                    apiVersion:
+                      description: The version of the resource
+                      type: string
+                    namespace:
+                      description: The namespace of the resource
+                      type: string
+                    resource:
+                      description: The resource type
+                      type: string
+                  required:
+                  - apiGroup
+                  - apiVersion
+                  - resource
+                  type: object
+                name:
+                  description: The name of the input parameter
+                  type: string
+              required:
+              - name
+              type: object
+            nullable: true
+            type: array
+            x-kubernetes-list-type: atomic
           instructions:
             description: Instructions for auditing this specific rule
             type: string
@@ -77,6 +131,12 @@ spec:
           rationale:
             description: The rationale of the Rule
             type: string
+          scanner:
+            default: OpenSCAP
+            description: |-
+              Scanner is the type of scanner that should be used to evaluate this rule
+              Defaults to OpenSCAP
+            type: string
           severity:
             description: The severity level
             type: string

diff --git a/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml b/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml
@@ -41,6 +41,9 @@ spec:
           description:
             description: A human-readable check description, what and why it does
             type: string
+          errorMessage:
+            description: The ErrorMessage of the rule evaluation
+            type: string
           id:
             description: A unique identifier of a check
             type: string

diff --git a/config/crd/bases/compliance.openshift.io_compliancescans.yaml b/config/crd/bases/compliance.openshift.io_compliancescans.yaml
@@ -266,6 +266,12 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scanner:
+                default: OpenSCAP
+                description: |-
+                  Scanner is the type of scanner that should be used to evaluate this rule
+                  Defaults to OpenSCAP
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

diff --git a/config/crd/bases/compliance.openshift.io_compliancesuites.yaml b/config/crd/bases/compliance.openshift.io_compliancesuites.yaml
@@ -285,6 +285,12 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scanner:
+                      default: OpenSCAP
+                      description: |-
+                        Scanner is the type of scanner that should be used to evaluate this rule
+                        Defaults to OpenSCAP
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

diff --git a/config/crd/bases/compliance.openshift.io_rules.yaml b/config/crd/bases/compliance.openshift.io_rules.yaml
@@ -58,9 +58,63 @@ spec:
           description:
             description: The description of the Rule
             type: string
+          evaluations:
+            description: |-
+              Evaluations is the list of CEL expressions that will be used
+              to evaluate the rule
+            items:
+              properties:
+                errorMessage:
+                  description: Error message to be displayed if the evaluation fails
+                  type: string
+                expression:
+                  description: The CEL expression to be evaluated
+                  type: string
+              required:
+              - expression
+              type: object
+            nullable: true
+            type: array
+            x-kubernetes-list-type: atomic
           id:
             description: The XCCDF ID
             type: string
+          inputs:
+            description: Inputs represent the input parameters for the CEL expression
+            items:
+              description: InputPayload defines the structure for the inputs used
+                in the CEL expression
+              properties:
+                kubeResource:
+                  description: The kubernetes resource that will be used as input
+                  nullable: true
+                  properties:
+                    apiGroup:
+                      description: The API group of the resource
+                      type: string
+                    apiVersion:
+                      description: The version of the resource
+                      type: string
+                    namespace:
+                      description: The namespace of the resource
+                      type: string
+                    resource:
+                      description: The resource type
+                      type: string
+                  required:
+                  - apiGroup
+                  - apiVersion
+                  - resource
+                  type: object
+                name:
+                  description: The name of the input parameter
+                  type: string
+              required:
+              - name
+              type: object
+            nullable: true
+            type: array
+            x-kubernetes-list-type: atomic
           instructions:
             description: Instructions for auditing this specific rule
             type: string
@@ -77,6 +131,12 @@ spec:
           rationale:
             description: The rationale of the Rule
             type: string
+          scanner:
+            default: OpenSCAP
+            description: |-
+              Scanner is the type of scanner that should be used to evaluate this rule
+              Defaults to OpenSCAP
+            type: string
           severity:
             description: The severity level
             type: string

diff --git a/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go b/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go
@@ -98,6 +98,8 @@ type ComplianceCheckResult struct {
 	Warnings []string `json:"warnings,omitempty"`
 	// It stores a list of values used by the check
 	ValuesUsed []string `json:"valuesUsed,omitempty"`
+	// The ErrorMessage of the rule evaluation
+	ErrorMessage string `json:"errorMessage,omitempty"`
 }
 
 // +kubebuilder:object:root=true

diff --git a/pkg/apis/compliance/v1alpha1/compliancescan_types.go b/pkg/apis/compliance/v1alpha1/compliancescan_types.go
@@ -89,6 +89,9 @@ const CmScanResultAnnotation = "compliance.openshift.io/scan-result"
 // CmScanResultErrMsg holds the processed scanner error message
 const CmScanResultErrMsg = "compliance.openshift.io/scan-error-msg"
 
+// CELFeatureEnableAnnotation is used to enable the CEL feature
+const CELFeatureEnableAnnotation = "compliance.openshift.io/cel-feature-enable"
+
 const (
 	// ResultNot available represents the compliance scan not having finished yet
 	ResultNotAvailable ComplianceScanStatusResult = "NOT-AVAILABLE"
@@ -244,6 +247,10 @@ type ComplianceScanSpec struct {
 	// rule. Note that when leaving this empty, the scan will check for all the
 	// rules for a specific profile.
 	Rule string `json:"rule,omitempty"`
+	// Scanner is the type of scanner that should be used to evaluate this rule
+	// Defaults to OpenSCAP
+	// +kubebuilder:default=OpenSCAP
+	Scanner ScannerType `json:"scanner,omitempty"`
 	// Is the path to the file that contains the content (the data stream).
 	// Note that the path needs to be relative to the `/` (root) directory, as
 	// it is in the ContentImage

diff --git a/pkg/apis/compliance/v1alpha1/profile_types.go b/pkg/apis/compliance/v1alpha1/profile_types.go
@@ -15,6 +15,13 @@ const ProductAnnotation = "compliance.openshift.io/product"
 // ProfileGuidLabel specifies the unique identifier of the Profile
 const ProfileGuidLabel = "compliance.openshift.io/profile-guid"
 
+// ScannerAnnotation specifies the type of scanner to use for this Profile
+const ScannerAnnotation = "compliance.openshift.io/scanner"
+
+// UserProfileAnnotation define if tailored profile contains User Created rules
+// that are not part of the original profile
+const UserProfileAnnotation = "compliance.openshift.io/user-profile"
+
 // ProfileRule defines the name of a specific rule in the profile
 type ProfileRule string
 

diff --git a/pkg/apis/compliance/v1alpha1/rule_types.go b/pkg/apis/compliance/v1alpha1/rule_types.go
@@ -27,6 +27,28 @@ const (
 	CheckTypeNone     = ""
 )
 
+// ScannerType is an enum type for the scanner type
+type ScannerType string
+
+// InputType is an enum type for the input type
+type InputType string
+
+const (
+	// ScannerTypeOpenSCAP is the default scanner type
+	ScannerTypeOpenSCAP ScannerType = "OpenSCAP"
+	// ScannerTypeCelScanner is the scanner type for the CEL scanner
+	ScannerTypeCelScanner ScannerType = "CEL"
+	// ScannerTypeUnknown is the scanner type for an unknown scanner
+	ScannerTypeUnknown ScannerType = "Unknown"
+)
+
+type Evaluation struct {
+	// The CEL expression to be evaluated
+	Expression string `json:"expression"`
+	// Error message to be displayed if the evaluation fails
+	ErrorMessage string `json:"errorMessage,omitempty"`
+}
+
 type RulePayload struct {
 	// The XCCDF ID
 	ID string `json:"id"`
@@ -50,6 +72,45 @@ type RulePayload struct {
 	// +optional
 	// +listType=atomic
 	AvailableFixes []FixDefinition `json:"availableFixes,omitempty"`
+	// Scanner is the type of scanner that should be used to evaluate this rule
+	// Defaults to OpenSCAP
+	// +kubebuilder:default=OpenSCAP
+	Scanner ScannerType `json:"scanner,omitempty"`
+	// Evaluations is the list of CEL expressions that will be used
+	// to evaluate the rule
+	// +nullable
+	// +optional
+	// +listType=atomic
+	Evaluatiosn []Evaluation `json:"evaluations,omitempty"`
+	// Inputs represent the input parameters for the CEL expression
+	// +nullable
+	// +optional
+	// +listType=atomic
+	Inputs []InputPayload `json:"inputs,omitempty"`
+}
+
+// KubernetesResource represents a kubernetes resource that can be used as an input
+// for the CEL expression
+type KubernetesResource struct {
+	// The API group of the resource
+	APIGroup string `json:"apiGroup"`
+	// The version of the resource
+	ApiVersion string `json:"apiVersion"`
+	// The resource type
+	Resource string `json:"resource"`
+	// The namespace of the resource
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// InputPayload defines the structure for the inputs used in the CEL expression
+type InputPayload struct {
+	// The name of the input parameter
+	Name string `json:"name"`
+	// The kubernetes resource that will be used as input
+	// +nullable
+	// +optional
+	KubeResource KubernetesResource `json:"kubeResource,omitempty"`
 }
 
 // +kubebuilder:object:root=true