add delete / review paths

Signed-off-by: YiscahLevySilas1 <[email protected]>

rules/CVE-2021-25742/raw.rego

@@ -18,6 +18,7 @@ deny[msga] {
 	path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
 	msga := {
 			"alertMessage": sprintf("You may be vulnerable to CVE-2021-25742. Deployment %v", [deployment.metadata.name]),
+			"reviewPaths": [path],
 			"failedPaths": [path],
 			"fixPaths":[],
 			"alertObject": {"k8SApiObjects": [deployment]},

rules/CVE-2022-0185/raw.rego

@@ -34,6 +34,7 @@ deny[msga] {
     		"alertObject": {
                 "externalObjects": external_vector
             },
+            "reviewPaths": ["kernelVersion"],
 			"failedPaths": ["kernelVersion"],
             "fixPaths":[],
 	}

rules/CVE-2022-0492/raw.rego

@@ -42,6 +42,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {
@@ -85,6 +86,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {
@@ -126,6 +128,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {
@@ -162,6 +165,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": [result],
 		"failedPaths": [result],
         "fixPaths": [],
 		"alertObject": {
@@ -193,6 +197,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": [result],
 		"failedPaths": [result],
         "fixPaths": [],
 		"alertObject": {
@@ -223,6 +228,7 @@ deny[msga] {
 		"alertMessage": "You may be vulnerable to CVE-2022-0492",
 		"packagename": "armo_builtins",
 		"alertScore": 4,
+		"deletePaths": [result],
 		"failedPaths": [result],
         "fixPaths": [],
 		"alertObject": {

rules/CVE-2022-23648/raw.rego

@@ -20,6 +20,7 @@ deny[msga] {
     		"alertObject": {
                "k8SApiObjects": [node]
             },
+			"reviewPaths": [path],
 			"failedPaths": [path],
             "fixPaths":[],
 	}

rules/CVE-2022-24348/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 	path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
     msga := {
 			"alertMessage": "You may be vulnerable to CVE-2022-24348",
+			"reviewPaths": [path],
 			"failedPaths": [path],
 			"fixPaths":[],
 			"alertObject": { 

rules/CVE-2022-39328/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 	path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
     msga := {
 			"alertMessage": "You may be vulnerable to CVE-2022-39328",
+			"reviewPaths": [path],
 			"failedPaths": [path],
 			"fixPaths":[],
 			"alertObject": { 

rules/CVE-2022-47633/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 	path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
     msga := {
 			"alertMessage": "You may be vulnerable to CVE-2022-47633",
+			"reviewPaths": [path],
 			"failedPaths": [path],
 			"fixPaths":[],
 			"alertObject": { 

rules/drop-capability-netraw/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 		"alertMessage": sprintf("Pod: %s does not drop the capability NET_RAW", [wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": failedPaths,
 		"failedPaths": failedPaths,
 		"fixPaths": fixPaths,
 		"alertObject": {"k8sApiObjects": [wl]},
@@ -43,6 +44,7 @@ deny[msga] {
 		"alertMessage": sprintf("Workload: %v does not drop the capability NET_RAW", [wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": failedPaths,
 		"failedPaths": failedPaths,
 		"fixPaths": fixPaths,
 		"alertObject": {"k8sApiObjects": [wl]},
@@ -66,6 +68,7 @@ deny[msga] {
 		"alertMessage": sprintf("Cronjob: %v does not drop the capability NET_RAW", [wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": failedPaths,
 		"failedPaths": failedPaths,
 		"fixPaths": fixPaths,
 		"alertObject": {"k8sApiObjects": [wl]},

rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/raw.rego

@@ -73,6 +73,7 @@ deny[msga] {
     	"alertMessage": "Ingress object has 'spec.tls' value not set.",
     	"packagename": "armo_builtins",
     	"alertScore": 7,
+		"reviewPaths": ["spec.tls"],
     	"failedPaths": ["spec.tls"],
     	"fixPaths":[],
     	"alertObject": {

rules/endpoints-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/endpointslice-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/enforce-kubelet-client-tls-authentication-updated/raw.rego

@@ -18,6 +18,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "kubelet client TLS authentication is not enabled",
 		"alertScore": 6,
+		"reviewPaths": ["authentication.x509.clientCAFile"],
 		"failedPaths": ["authentication.x509.clientCAFile"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/ensure-default-service-accounts-has-only-default-roles/raw.rego

@@ -20,6 +20,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("%s: %v has for ServiceAccount 'default' rules bound to it that are not defaults", [wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
+        "deletePaths": [sprintf("subjects[%d]", [i])],
         "failedPaths": [sprintf("subjects[%d]", [i])],
         "fixPaths":[],
 		"alertScore": 7,

rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/raw.rego

@@ -32,6 +32,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "The API server is not configured to use strong cryptographic ciphers",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "Admission control policy is not set to AlwaysPullImages",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/raw.rego

@@ -10,6 +10,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "NodeRestriction is not enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage":"The SecurityContextDeny addmission controller is not enabled. This could allow for privilege escalation in the cluster", 
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "anonymous requests is enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": result.alert,
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": result.alert,
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": result.alert,
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-audit-log-path-argument-is-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "kubernetes API Server is not audited",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "kubelet nodes can read objects that are not associated with them",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "RBAC is not enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "AlwaysAllow authorization mode is enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "API server communication is not encrypted properly",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "API server is not configured to use SSL Certificate Authority file for etcd",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "etcd is not configured to use TLS properly",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "TLS certificate authority file is not specified",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "certificate based kubelet authentication is not enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "profiling is enabled. This could potentially be exploited to uncover system and program details.",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": result.alert,
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "the secure port is disabled",
 		"alertScore": 2,
+		"reviewPaths": [sprintf("spec.containers[0].command[%v]", [i])],
 		"failedPaths": [sprintf("spec.containers[0].command[%v]", [i])],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "TLS certificate authority",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "anonymous requests is enabled",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "API server is not configured to serve only HTTPS traffic",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "API server TLS is not configured",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",

rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/raw.rego

@@ -9,6 +9,7 @@ deny[msg] {
 	msg := {
 		"alertMessage": "`RotateKubeletServerCertificate` is set to false on the controller manager",
 		"alertScore": 2,
+		"reviewPaths": result.failed_paths,
 		"failedPaths": result.failed_paths,
 		"fixPaths": result.fix_paths,
 		"packagename": "armo_builtins",