SUB-2768 - add delete / review paths (#517)

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>
Co-authored-by: Yuval Leibovich <89763818+yuleib@users.noreply.github.com>

rules/exposure-to-internet/raw.rego

@@ -22,6 +22,7 @@ deny[msga] {
         },
         "relatedObjects": [{
             "object": service,
+		    "reviewPaths": failPath,
             "failedPaths": failPath,
         }]
     }
@@ -56,6 +57,7 @@ deny[msga] {
         },
         "relatedObjects": [{
             "object": ingress,
+		    "reviewPaths": result,
             "failedPaths": result,
         }]
     }

rules/has-image-signature/raw.rego

@@ -14,6 +14,7 @@ deny[msga] {
 		"alertMessage": sprintf("image: %v is not signed", [ container.image]),
 		"alertScore": 7,
 		"fixPaths": [],
+		"reviewPaths": [failedPath],
 		"failedPaths": [failedPath],
 		"packagename": "armo_builtins",
 		"alertObject": {
@@ -37,6 +38,7 @@ deny[msga] {
 		"alertMessage": sprintf("image: %v is not signed", [ container.image]),
 		"alertScore": 7,
 		"fixPaths": [],
+		"reviewPaths": [failedPath],
 		"failedPaths": [failedPath],
 		"packagename": "armo_builtins",
 		"alertObject": {
@@ -59,6 +61,7 @@ deny[msga] {
 		"alertMessage": sprintf("image: %v is not signed", [ container.image]),
 		"alertScore": 7,
 		"fixPaths": [],
+		"reviewPaths": [failedPath],
 		"failedPaths": [failedPath],
 		"packagename": "armo_builtins",
 		"alertObject": {

rules/horizontalpodautoscaler-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/host-network-access/raw.rego

@@ -10,6 +10,7 @@ deny[msga] {
     msga := {
 	"alertMessage": sprintf("Pod: %v is connected to the host network", [pod.metadata.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"packagename": "armo_builtins",
@@ -28,6 +29,7 @@ deny[msga] {
     msga := {
 	"alertMessage": sprintf("%v: %v has a pod connected to the host network", [wl.kind, wl.metadata.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"packagename": "armo_builtins",
@@ -46,6 +48,7 @@ deny[msga] {
     msga := {
 	"alertMessage": sprintf("CronJob: %v has a pod connected to the host network", [wl.metadata.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths":[],
 		"packagename": "armo_builtins",

rules/ingress-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/insecure-port-flag/raw.rego

@@ -13,6 +13,7 @@ deny[msga] {
 		"alertMessage": sprintf("The API server container: %v has insecure-port flag enabled", [ container.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {

rules/k8s-audit-logs-enabled-native-cis/raw.rego

@@ -13,6 +13,7 @@ deny[msga] {
 		"alertMessage": "audit logs are not enabled",
 		"alertScore": 5,
 		"packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [obj]},

rules/k8s-audit-logs-enabled-native/raw.rego

@@ -15,6 +15,7 @@ deny[msga] {
 		"alertMessage": "audit logs is not enabled",
 		"alertScore": 9,
 		"packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {

rules/kubelet-authorization-mode-alwaysAllow/raw.rego

@@ -43,6 +43,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Anonymous requests are enabled",
 		"alertScore": 10,
+		"reviewPaths": ["authorization.mode"],
 		"failedPaths": ["authorization.mode"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-event-qps/raw.rego

@@ -22,6 +22,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Value of the eventRecordQPS argument is set to 0",
 		"alertScore": 2,
+		"reviewPaths": ["eventRecordQPS"],
 		"failedPaths": ["eventRecordQPS"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-ip-tables/raw.rego

@@ -41,6 +41,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Property makeIPTablesUtilChains is not set to true",
 		"alertScore": 3,
+		"reviewPaths": ["makeIPTablesUtilChains"],
 		"failedPaths": ["makeIPTablesUtilChains"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-protect-kernel-defaults/raw.rego

@@ -41,6 +41,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Property protectKernelDefaults is not set to true",
 		"alertScore": 2,
+		"reviewPaths": ["protectKernelDefaults"],
 		"failedPaths": ["protectKernelDefaults"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-rotate-certificates/raw.rego

@@ -41,6 +41,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Kubelet client certificates rotation is disabled",
 		"alertScore": 6,
+		"reviewPaths": ["rotateCertificates"],
 		"failedPaths": ["rotateCertificates"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-streaming-connection-idle-timeout/raw.rego

@@ -41,6 +41,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Timeouts on streaming connections are enabled",
 		"alertScore": 3,
+		"reviewPaths": ["streamingConnectionIdleTimeout"],
 		"failedPaths": ["streamingConnectionIdleTimeout"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/kubelet-strong-cryptography-ciphers/raw.rego

@@ -44,6 +44,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "Kubelet is not configured to only use strong cryptographic ciphers",
 		"alertScore": 5,
+		"reviewPaths": ["TLSCipherSuites"],
 		"failedPaths": ["TLSCipherSuites"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/lease-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/non-root-containers/raw.rego

@@ -17,6 +17,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in pod: %v  may run as root", [container.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {
@@ -40,6 +41,7 @@ deny[msga] {
 		"alertMessage": sprintf("container :%v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {
@@ -64,6 +66,7 @@ deny[msga] {
 		"alertMessage": sprintf("container :%v in %v: %v  may run as root", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
         "fixPaths": fixPath,
 		"alertObject": {

rules/persistentvolumeclaim-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/poddisruptionbudget-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/podtemplate-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/psp-deny-allowed-capabilities/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has allowedCapabilities.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-allowprivilegeescalation/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has allowPrivilegeEscalation set as true.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-hostipc/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has hostIPC set as true.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-hostnetwork/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has hostNetwork set as true.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-hostpid/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has hostPID set as true.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-privileged-container/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' has privileged set as true.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-deny-root-container/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("PodSecurityPolicy: '%v' permits containers to run as the root user.", [psp.metadata.name]),
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [psp]},

rules/psp-enabled-native/raw.rego

@@ -14,6 +14,7 @@ deny[msga] {
 		"alertMessage": "PodSecurityPolicy is not enabled",
 		"alertScore": 9,
 		"packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {

rules/rbac-enabled-cloud/raw.rego

@@ -12,6 +12,7 @@ deny[msga] {
 		"alertMessage": "rbac is not enabled",
 		"alertScore": 3,
 		"packagename": "armo_builtins",
+		"reviewPaths": ["data.properties.enableRBAC"],
 		"failedPaths": ["data.properties.enableRBAC"],
 		"fixCommand": "",
 		"fixPaths": [],

rules/rbac-enabled-native/raw.rego

@@ -14,6 +14,7 @@ deny[msga] {
 		"alertMessage": "RBAC is not enabled",
 		"alertScore": 9,
 		"packagename": "armo_builtins",
+		"reviewPaths": [path],
 		"failedPaths": [path],
 		"fixPaths": [],
 		"alertObject": {

rules/read-only-port-enabled-updated/raw.rego

@@ -43,6 +43,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": "kubelet read-only port is not disabled",
 		"alertScore": 4,
+		"reviewPaths": ["readOnlyPort"],
 		"failedPaths": ["readOnlyPort"],
 		"fixPaths": [],
 		"packagename": "armo_builtins",

rules/replicationcontroller-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/resources-cpu-limit-and-request/raw.rego

@@ -87,6 +87,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v exceeds CPU-limit or request", [ container.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {
@@ -112,6 +113,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {
@@ -136,6 +138,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v exceeds CPU-limit or request", [ container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {

rules/resources-memory-limit-and-request/raw.rego

@@ -86,6 +86,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v exceeds memory-limit or request", [container.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [pod]},
@@ -109,6 +110,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [wl]},
@@ -131,6 +133,7 @@ deny[msga] {
 		"alertMessage": sprintf("Container: %v in %v: %v exceeds memory-limit or request", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"reviewPaths": [failed_paths],
 		"failedPaths": [failed_paths],
 		"fixPaths": [],
 		"alertObject": {"k8sApiObjects": [wl]},

rules/resources-secret-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/role-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/rolebinding-in-default-namespace/raw.rego

@@ -9,6 +9,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 3,
+		"reviewPaths": failed_path,
 		"failedPaths": failed_path,
 		"fixPaths": fixed_path,
 		"alertObject": {

rules/rule-access-dashboard-subject-v1/raw.rego

@@ -19,6 +19,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("Subject: %v-%v is bound to dashboard role/clusterrole", [subjectVector.kind, subjectVector.name]),
 		"alertScore": 9,
+		"reviewPaths": finalpath,
 		"failedPaths": finalpath,
 		"fixPaths": [],
 		"packagename": "armo_builtins",