Skip to content

CMP-4040, CMP-4041: Add support for CEL based rules and profiles#14597

Open
yuumasato wants to merge 15 commits intoComplianceAsCode:masterfrom
yuumasato:add-cel-rules
Open

CMP-4040, CMP-4041: Add support for CEL based rules and profiles#14597
yuumasato wants to merge 15 commits intoComplianceAsCode:masterfrom
yuumasato:add-cel-rules

Conversation

@yuumasato
Copy link
Copy Markdown
Member

@yuumasato yuumasato commented Mar 24, 2026

Description:

  • Adds support for CEL based rules along with documentation and some tests
  • The CEL rules are supported by Compliance Operator, so they are limited to ocp4 product.

Rationale:

  • As we integrate and expand CEL content support for OpenShift with Compliance Operator, we would like to have these rules maintained and developed side by side with other similar security contents.

Review Hints:

  • Build OCP4 content and check the 'ocp4-cel-content.yaml' in the bulid directory.

@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Mar 25, 2026

I verified PR #14597 and PR ComplianceAsCode/compliance-operator#1103 together. Generally it is good. The only problem is there is no COPY --from=builder /content/build/ocp4-cel-content.yaml . in the BuildConfig, I have to create a BuildConfig manually.
I failed to set up a kubevirt cluster today. Will continue verify the rules tomorrow.

1. ### Step 1: Build the Content Locally
# Build OCP4 product
./build_product ocp4
# Verify CEL content exists
ls -lh build/ocp4-cel-content.yaml
2. ###Step 2: build content image:
##2.1. Updated the BuildConfig (this is the code change):
$ oc apply -f - <<'EOF'
  apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: openscap-ocp4-ds
    namespace: openshift-compliance
  spec:
    output:
      to:
        kind: ImageStreamTag
        name: openscap-ocp4-ds:latest
    runPolicy: Serial
    source:
      dockerfile: |
        FROM registry.fedoraproject.org/fedora-minimal:38 as builder

        WORKDIR /content

        COPY . .

        RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils

        RUN ./build_product --debug ocp4 rhcos4

        FROM registry.access.redhat.com/ubi8/ubi-minimal
        WORKDIR /
        COPY --from=builder /content/build/ssg-ocp4-ds.xml .
        COPY --from=builder /content/build/ssg-rhcos4-ds.xml .
        COPY --from=builder /content/build/ocp4-cel-content.yaml .
      type: Dockerfile
    strategy:
      dockerStrategy:
        noCache: true
      type: Docker
    triggers:
    - type: ImageChange
  EOF

 ##2.2 Triggered a new build:

$ oc start-build openscap-ocp4-ds -n openshift-compliance --from-dir=.

3. ###Verified the image contains CEL content:

$ oc run -it --rm verify-cel \
    --image=image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest \
    --restart=Never \
    -n openshift-compliance \
    -- ls -la /

4. ###Created ProfileBundle with CEL content:
$ oc apply -f - <<'EOF'
  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: ocp4-with-cel
    namespace: openshift-compliance
  spec:
    contentImage: image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest
    contentFile: ssg-ocp4-ds.xml
    celContentFile: ocp4-cel-content.yaml
  EOF
5 ### Check the result:
$ oc get pb
NAME              CONTENTIMAGE                                                                                    CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest                                                      ssg-ocp4-ds.xml                             VALID
ocp4-with-cel     image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest   ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest                                                      ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                                                                         ssg-ocp4-ds.xml                             VALID
upstream-rhcos4   openscap-ocp4-ds:latest                                                                         ssg-rhcos4-ds.xml                           VALID
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'e'
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries
ocp4-with-cel-kubevirt-no-permitted-host-devices
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled
ocp4-with-cel-kubevirt-persistent-reservation-disabled
$ oc get rules | grep kubevirt
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries                                        7m7s
ocp4-with-cel-kubevirt-no-permitted-host-devices                                             7m7s
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory                                    7m7s
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled                                       7m7s
ocp4-with-cel-kubevirt-persistent-reservation-disabled                                       7m7s

@jan-cerny jan-cerny added the OpenShift OpenShift product related. label Mar 25, 2026
@Vincent056 Vincent056 mentioned this pull request Mar 25, 2026
Closed
3 tasks
@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Mar 25, 2026
edited
Loading

Thanks for the review @xiaojiey.

Hopefully I have addessed the BuildConfig issue in the last commit.
Regarding the kubevirt rules, there is no need to thoroughly test them now. They won't be shipped downstream yet.

@yuumasato yuumasato added this to the 0.1.81 milestone Mar 25, 2026
@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Mar 26, 2026

@yuumasato Sorry, I forgot to highlight, there is one more need to be updated. The --datastream-only in ocp-resources/ds-build-remote.yaml need to be removed. Otherwise, the cel content file won't be included.
The good news is once the cel file included, the pb will be created correctly with the right CELCONTENTFILE, no need to patch any more.
################# with --datastream-only parameter

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-26 10:29:01,458:INFO: Building content for ocp4, rhcos4
...
2026-03-26 10:32:23,395:INFO: Build status: Running
2026-03-26 10:32:27,162:INFO: Build status: Failed
$ oc get pod
NAME                                              READY   STATUS    RESTARTS        AGE
compliance-operator-54dd495bbb-wpn2b              1/1     Running   2 (8m50s ago)   8m54s
ocp4-openshift-compliance-pp-57d9c88555-5ccpv     1/1     Running   0               8m37s
openscap-ocp4-ds-1-build                          0/1     Error     0               7m54s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6   1/1     Running   0               8m37s
$ oc logs pod/openscap-ocp4-ds-1-build --all-containers 
[2/2] STEP 5/7: COPY --from=builder /content/build/ocp4-cel-content.yaml .
error: build error: building at STEP "COPY --from=builder /content/build/ocp4-cel-content.yaml .": checking on sources under "/var/lib/containers/storage/overlay/c6192ee843a64e2ea122abce26db828840cf621dec559a2eecd0a71bd40d0f13/merged": copier: stat: "/content/build/ocp4-cel-content.yaml": no such file or directory

################# without --datastream-only parameter

$ git diff
diff --git a/ocp-resources/ds-build-remote.yaml b/ocp-resources/ds-build-remote.yaml
index 68764deb8e..5f6ee69916 100644
--- a/ocp-resources/ds-build-remote.yaml
+++ b/ocp-resources/ds-build-remote.yaml
@@ -25,7 +25,7 @@ spec:
 
       RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils
 
-      RUN ./build_product --datastream-only --debug ocp4 rhcos4
+      RUN ./build_product --debug ocp4 rhcos4
 
       FROM registry.access.redhat.com/ubi8/ubi-minimal
       WORKDIR /
$ ./utils/build_ds_container.py -c -p
2026-03-26 11:39:54,642:INFO: Building content for ocp4, rhcos4
...
2026-03-26 11:43:10,806:INFO: Build status: Running
2026-03-26 11:43:15,440:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-26 11:43:19,447:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pod
NAME                                                      READY   STATUS      RESTARTS      AGE
compliance-operator-54dd495bbb-wpn2b                      1/1     Running     2 (76m ago)   76m
ocp4-openshift-compliance-pp-57d9c88555-5ccpv             1/1     Running     0             76m
openscap-ocp4-ds-3-build                                  0/1     Completed   0             4m56s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6           1/1     Running     0             76m
upstream-ocp4-openshift-compliance-pp-7f856fd4-2m8q2      1/1     Running     0             100s
upstream-rhcos4-openshift-compliance-pp-f7d968bc6-prwvg   1/1     Running     0             98s
$ oc get pb 
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           PENDING
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

Vincent056
Vincent056 reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Vincent056 Vincent056 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the PR looks good, just some questions on formatting and templating.

Vincent056
Vincent056 reviewed Mar 26, 2026
View reviewed changes
@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Mar 27, 2026

@xiaojiey Thanks, instead of removing '--datastream-only' I have added a new parameter '--cel-content=ocp4'.
This way we don't unnecessarily build targets we don't need in our images.

@yuumasato yuumasato changed the title Add support for CEL based rules and profiles CMP-4040, CMP-4041: Add support for CEL based rules and profiles Mar 30, 2026
@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Mar 30, 2026

@yuumasato Thanks for the update. Now with/without CEL profiles, the profiles can be created successfully.

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-30 21:07:10,260:INFO: Building content for ocp4, rhcos4
...
2026-03-30 21:10:28,765:INFO: Build status: Running
2026-03-30 21:10:32,503:INFO: Build status: Running
2026-03-30 21:10:37,081:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-30 21:10:41,313:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           VALID
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Mar 30, 2026

/retest

Mab879
Mab879 requested changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Please update shared/schemas as well.
  • Use underscoes to separate words, as this project follows the Python style.
    • scannerType -> scanner_type
    • checkType -> checkType
    • etc
  • The style guide needs to be updated as well for the new fields

@yuumasato yuumasato force-pushed the add-cel-rules branch 3 times, most recently from 9fde596 to 2772f94 Compare April 1, 2026 21:32
@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Apr 1, 2026

@Mab879 I have moved the CEL specific keys to its own file.

@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Apr 2, 2026

/retest

@xiaojiey
Copy link
Copy Markdown
Collaborator

xiaojiey commented Apr 3, 2026

/test e2e-aws-openshift-node-compliance

Mab879
Mab879 requested changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for moving cel keys to the cel folder. Looks like the docs need to be updated.

.claude/CLAUDE.md
Run the following command:
<pre>$ oc get pods</pre>

failure_reason: |- # Optional: Custom failure message
Copy link
Copy Markdown
Member

@Mab879 Mab879 Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be moved to cel folder in the docs as well.

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mab879 Not sure what you mean, the docs already mention failure_reason.
Do you mean that I should remove the example CEL rule from this file?

Copy link
Copy Markdown
Member

@Mab879 Mab879 Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see it in master? What am I missing?

$ git log | head -n 1
commit 8aa33003dd0b592890cc10dd721e7188f9aff1e7
$ rg failure_reason | wc -l
0

rhmdnd
rhmdnd reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments inline (most can be addressed in follow ups). Primary questions are focused on the ergonomics of build_product.

applications/openshift-virtualization/kubevirt-no-permitted-host-devices/cel/shared.yml
- name: hcoList
kubernetes_input_spec:
api_version: hco.kubevirt.io/v1beta1
resource: hyperconvergeds
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

followup: could add resource_name and resource_namespace here to simplify the filter (lines 11 - 12) below.

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rhmdnd Are you okay doing in another PR?

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/cel/shared.yml
- name: hcoList
kubernetes_input_spec:
api_version: hco.kubevirt.io/v1beta1
resource: hyperconvergeds
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

followup: could add resource_name and resource_namespace here to simplify the filter (lines 11 - 12) below.

applications/openshift-virtualization/kubevirt-persistent-reservation-disabled/cel/shared.yml
- name: hcoList
kubernetes_input_spec:
api_version: hco.kubevirt.io/v1beta1
resource: hyperconvergeds
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

followup: could add resource_name and resource_namespace here to simplify the filter (lines 11 - 12) below.

...ications/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory/cel/shared.yml
- name: vms
kubernetes_input_spec:
api_version: kubevirt.io/v1
resource: VirtualMachine
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

followup: virtualmachine to be consistent with the case used in the other rules (hyperconvergeds)

build-scripts/build_cel_content.py
# A rule uses CEL if it has both expression and inputs
# (loaded from cel/shared.yml during rule compilation)
has_expression = hasattr(rule, 'expression') and rule.expression
has_inputs = hasattr(rule, 'inputs') and rule.inputs
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha - so this is the part that makes it so we don't need a scanner-type attribute in the rule?

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, when these fields are present, the build system knows that it has support for CEL.

build_product
# ARG_OPTIONAL_BOOLEAN([bash-scripts],[],[Build Bash remediation scripts for every profile],[on])
# ARG_OPTIONAL_BOOLEAN([datastream-only],[d],[Build the data stream only. Do not build any of the guides, tables, etc],[off])
# ARG_OPTIONAL_ACTION([datastream],[],[Build the data stream. Do not build any of the guides, tables, etc])
# ARG_OPTIONAL_SINGLE([cel-content],[],[Product(s) to build CEL content for (comma-separated)],[off])
Copy link
Copy Markdown
Collaborator

@rhmdnd rhmdnd Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The datastream-only and datastream arguments are specific to SCAP, and we're adding another variant that essentially does something similar with a new format (cel-content).

I wonder if we need something more generic to allow for better ergonomics?

# build it all (cel, scap datastreams, guides, tables)
$ build_project ...

# equivalent to legacy --datastream-only (but without two arguments for specifying datastream)
$ build_project --output-implementations scap

# only build CEL content
$ build_project --output-implementations cel

jan-cerny
jan-cerny reviewed Apr 7, 2026
View reviewed changes
.claude/CLAUDE.md
```

**Note:**
- Profiles use `scanner_type: CEL` to indicate they target the CEL checking engine and should be excluded from XCCDF/datastream builds.
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What determines if a rule is included in CEL and if it's included in XCCDF? Is that determined by rule presence in profiles?

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All CEL rules loaded are included in the cel-content.yaml.
https://github.com/ComplianceAsCode/content/pull/14597/changes#diff-ce6393057aed5d58cf51f7e13532a07ec0063429a773d3e177e5eabfefe305a7R364

applications/openshift-virtualization/kubevirt-enforce-trusted-tls-registries/rule.yml
Comment on lines +27 to +29
ocil_clause: 'insecure registries are configured'

ocil: |-
Copy link
Copy Markdown
Collaborator

@jan-cerny jan-cerny Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the benefit of having OCIL in a CEL rule? Should the OCIL be present in CEL rules?

Copy link
Copy Markdown
Member Author

@yuumasato yuumasato Apr 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When consuming the data stream, Compliance Operator exposes the OCIL as intructions on how to manually check the rule.

I just used the same input field ocil, in the output the CEL content has a field named instructions.
I could rename this to instructions, but keeping it as ocil is backwards compatible and won't cause problems when we start to migrate the rules in application/openshift to CEL.

@yuumasato
Add CEL CustomRules from CO
5c7c725
@yuumasato
Add a profile for CIS OCP VM Extension v1.0.0
9ec0ffe 
We expect this profile to exclusively leverage the CEL rules.
yuumasato added 13 commits April 13, 2026 14:20
@yuumasato
Add support for building CEL content
1b24d30 
Add a new build-script along with a new output type that builds the CEL
rules into the yaml that can be loaded by Compliance Operator.
@yuumasato
Add tests for the CEL build-script
f5ae297
@yuumasato
Document CEL Rules and its usage
3223dd7
@yuumasato
Include and ship the CEL content file
d3e1455 
Copies the CEL content file to the content images.
@yuumasato
Include CEL content in PBs created by build_ds_container.py
a6fa372
@yuumasato
Implement parameter to build cel-content
3d28f8e 
Adds --cel-content parameter that takes a comma separated list of
products to build cel-content for.

Add the new parameter with OCP4 product where it makes sense.
@yuumasato
Add --datastream parameter to build datastreams
840d405 
With addition of '--cel-content' as an option to build CEL content.
And with it being additional to data stream builds, having
'--datastream-only' parameter feels weird.

This add '--datastream' so that we can move away from
'--datastream-only' and be more consistent.
@yuumasato
Adjust CEL Rules keys to snake case
f2fda3a
@yuumasato
Document CEL rules in json schema
68a64e2
@yuumasato
Improve docs and style guides with CEL rules info
56c18e2
@yuumasato
Remove nonsensical --no-datastream option
58619f0 
Keep only the --datastream option, which builds the CMake target that
generates the data stream files, in addition to any other target defined
during script invocation.
@yuumasato
Move the CEL fields out of the rule.yml
14e70cb 
Keeps the fields pertainint to CEL scanning engine separate from the
rule.yml, which can remain agnostic.
This facilitates the implementation of templates later on.

'scanner_type' is completely removed from rules, and inferred by
presence of 'cel' directory or presence of 'expression' and 'input'
keys.
@yuumasato
build_product: Set --datastream-only as deprecated
751a5cc 
Prefer the --datastream option that accommodates the use of
--cel-content argument.
@yuumasato yuumasato requested review from Mab879 and jan-cerny April 13, 2026 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vincent056 Vincent056 Vincent056 left review comments

@rhmdnd rhmdnd rhmdnd left review comments

@xiaojiey xiaojiey Awaiting requested review from xiaojiey

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@ggbecker ggbecker Awaiting requested review from ggbecker ggbecker is a code owner

@marcusburghardt marcusburghardt Awaiting requested review from marcusburghardt marcusburghardt is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

@Mab879 Mab879 Awaiting requested review from Mab879 Mab879 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

OpenShift OpenShift product related.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

6 participants

@yuumasato @xiaojiey @Mab879 @jan-cerny @Vincent056 @rhmdnd