Basis of categorizing checks as default and non-default

[ijewelmas]

Hello,

Can you please help me understand the basis upon which checks(used by this tool to check for misconfigurations) are classified as default and non-default ?
I understand that there are a total of 47 checks, 23 checks are enabled by default and the rest are not (until the --add-all-built-in param is passed), just it scratches my head trying to understand the basis of this categorization.

It would be great if someone could suggest the basis of this categorization.

Many thanks in advance !

[janisz]

Unfortunately I can't answer this question but my feeling is the goal for a tool that is easy to use and includes built-in checks that cover the most common use cases and follow industry security standards. In the future, we may consider migrating from "default" checks to explicitly enabled checks. However, for now, we need to maintain backward compatibility by keeping the default checks.

Maybe we should put checks into categories or add tags (like golangci-lint does) so organization will be cleaner and more obvious.