Merge pull request #208 from fabriziosestito/refactor/move-to-resourc…

…es-based-report

refactor!: move to resource-based report

Makefile

@@ -27,9 +27,6 @@ unit-tests: fmt vet ## Run unit tests.
 build: fmt vet lint ## Build audit-scanner binary.
 	go build -o bin/audit-scanner .
 
-generate: ## Generate code.
-	go generate ./...
-
 .PHONY: docker-build
 docker-build: unit-tests
 	DOCKER_BUILDKIT=1 docker build -t ${IMG} .

README.md

@@ -13,10 +13,9 @@ identifies the ones that are violating Kubewarden policies.
 
 The results of the scan can be made available via `PolicyReport` objects. Each Namespace
 has its own dedicated `PolicyReport`. Cluster-wide resources compliance is available via
-the `ClusterPolicyReport` resource. 
+the `ClusterPolicyReport` resource.
 
-Instead of relying on `PolicyReport` objects, one can also configure Audit scanner to
-save all this information in-memory only, by specifying `--store memory`.
+Storing `PolicyReport` and `ClusterPolicyReport` to etcd can be disabled by specifying `--disable-store`.
 
 # Deployment
 
@@ -37,18 +36,16 @@ $ make build
 
 Have a look at CONTRIBUTING.md for more developer information.
 
-For implementation details, see [RFC-11](https://github.com/kubewarden/rfc/blob/main/rfc/0011-audit-checks.md), 
+For implementation details, see [RFC-11](https://github.com/kubewarden/rfc/blob/main/rfc/0011-audit-checks.md),
 [RFC-12](https://github.com/kubewarden/rfc/blob/main/rfc/0012-policy-report.md).
 
-
 # Software bill of materials
 
 Audit scanner has its software bill of materials (SBOM) published every release.
 It follows the [SPDX](https://spdx.dev/) version 2.2 format and it can be found
 together with the signature and certificate used to signed it in the
 [release assets](https://github.com/kubewarden/audit-scanner/releases)
 
-
 # Security
 
 The Kubewarden team is security conscious. You can find our [threat model

cmd/root.go

@@ -32,6 +32,9 @@ var skippedNs []string
 // skip SSL cert validation when connecting to PolicyServers endpoints
 var insecureSSL bool
 
+// disable storing the results in the k8s cluster
+var disableStore bool
+
 // rootCmd represents the base command when called without any subcommands
 var rootCmd = &cobra.Command{
 	Use:   "audit-scanner",
@@ -62,13 +65,8 @@ There will be a ClusterPolicyReport with results for cluster-wide resources.`,
 		if err != nil {
 			return err
 		}
-		storeType, err := cmd.Flags().GetString("store")
-		if err != nil {
-			return err
-		}
 
 		config := ctrl.GetConfigOrDie()
-
 		dynamicClient := dynamic.NewForConfigOrDie(config)
 		clientset := kubernetes.NewForConfigOrDie(config)
 
@@ -84,13 +82,9 @@ There will be a ClusterPolicyReport with results for cluster-wide resources.`,
 		if err != nil {
 			return err
 		}
+		policyReportStore := report.NewPolicyReportStore(client)
 
-		policyReportStore, err := report.NewPolicyReportStoreFromType(storeType)
-		if err != nil {
-			return err
-		}
-
-		scanner, err := scanner.NewScanner(policiesClient, k8sClient, policyReportStore, outputScan, insecureSSL, caCertFile)
+		scanner, err := scanner.NewScanner(policiesClient, k8sClient, policyReportStore, outputScan, disableStore, insecureSSL, caCertFile)
 		if err != nil {
 			return err
 		}
@@ -144,5 +138,5 @@ func init() {
 	rootCmd.Flags().StringSliceVarP(&skippedNs, "ignore-namespaces", "i", nil, "comma separated list of namespace names to be skipped from scan. This flag can be repeated")
 	rootCmd.Flags().BoolVar(&insecureSSL, "insecure-ssl", false, "skip SSL cert validation when connecting to PolicyServers endpoints. Useful for development")
 	rootCmd.Flags().StringP("extra-ca", "f", "", "File path to CA cert in PEM format of PolicyServer endpoints")
-	rootCmd.Flags().StringP("store", "s", report.KUBERNETES, fmt.Sprintf("PolicyReport store type. Supported values are: %v", report.SupportedTypes))
+	rootCmd.Flags().BoolVar(&disableStore, "disable-store", false, "disable storing the results in the k8s cluster")
 }

go.mod

@@ -3,7 +3,6 @@ module github.com/kubewarden/audit-scanner
 go 1.21
 
 require (
-	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
 	github.com/kubewarden/kubewarden-controller v1.10.1
 	github.com/rs/zerolog v1.32.0
@@ -34,6 +33,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -52,7 +52,6 @@ require (
 	github.com/prometheus/common v0.46.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
 	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
 	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/oauth2 v0.16.0 // indirect

go.sum

@@ -410,15 +410,10 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=

internal/report/constants.go

@@ -1,9 +1,38 @@
 package report
 
 const (
-	PrefixNameClusterPolicyReport = "polr-"
-	PrefixNamePolicyReport        = "polr-ns-"
-	PolicyReportSource            = "kubewarden"
-	PropertyPolicyResourceVersion = "policy-resource-version"
+	policyReportSource            = "kubewarden"
+	propertyPolicyResourceVersion = "policy-resource-version"
 	PropertyPolicyUID             = "policy-uid"
 )
+
+const (
+	// Status specifies state of a policy result
+	statusPass  = "pass"
+	statusFail  = "fail"
+	statusWarn  = "warn"
+	statusError = "error"
+	statusSkip  = "skip"
+)
+
+const (
+	// Severity specifies severity of a policy result
+	severityCritical = "critical"
+	severityHigh     = "high"
+	severityMedium   = "medium"
+	severityLow      = "low"
+	severityInfo     = "info"
+)
+
+const (
+	// Category specifies the category of a policy result
+	typeMutating     = "mutating"
+	typeValidating   = "validating"
+	typeContextAware = "context-aware"
+	valueTypeTrue    = "true"
+)
+
+const (
+	labelAppManagedBy = "app.kubernetes.io/managed-by"
+	LabelApp          = "kubewarden"
+)