aquasecurity
diff --git a/‎.github/workflows/verify-docs.yaml‎
Lines changed: 0 additions & 25 deletions b/‎.github/workflows/verify-docs.yaml‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎.github/workflows/verify.yaml‎
Lines changed: 44 additions & 0 deletions b/‎.github/workflows/verify.yaml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 5 additions & 0 deletions b/‎Makefile‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎cmd/genspec/main.go‎
Lines changed: 97 additions & 0 deletions b/‎cmd/genspec/main.go‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 19 additions & 20 deletions b/‎go.mod‎
Lines changed: 19 additions & 20 deletions
@@ -0,0 +1,44 @@
+name: Verify Docs and Specs
+
+on:
+  pull_request:
+  merge_group:
+
+env:
+  GO_VERSION: "1.24"
+
+jobs:
+  verify-docs:
+    name: Verify Docs
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - run: |
+          make docs
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'make docs' and push it"
+            exit 1
+          fi
+
+  verify-specs:
+    name: Verify Specs
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Generate specification files
+        run: |
+          make genspec
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Run 'make genspec' and push it"
+            exit 1
+          fi
@@ -93,3 +93,8 @@ push-bundle: create-bundle
 		$$REPO \
 		 --artifact-type application/vnd.cncf.openpolicyagent.config.v1+json \
 		"$(BUNDLE_FILE):application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip"
+
+.PHONY: genspec
+# Generate specification files
+genspec:
+	go run ./cmd/genspec
@@ -0,0 +1,97 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/aquasecurity/trivy-checks/pkg/rego/metadata"
+	"github.com/aquasecurity/trivy/pkg/iac/framework"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+	"github.com/samber/lo"
+)
+
+const complianceDirPath = "pkg/compliance/"
+
+var specs = map[framework.Framework]*iacTypes.Spec{
+	framework.CIS_AWS_1_2: {
+		ID:          "aws-cis-1.2",
+		Title:       "AWS CIS Foundations v1.2",
+		Description: "AWS CIS Foundations",
+		Version:     "1.2",
+		Platform:    "aws",
+		Type:        "cis",
+		RelatedResources: []string{
+			"https://www.cisecurity.org/benchmark/amazon_web_services",
+		},
+	},
+	framework.CIS_AWS_1_4: {
+		ID:          "aws-cis-1.4",
+		Title:       "AWS CIS Foundations v1.4",
+		Description: "AWS CIS Foundations",
+		Version:     "1.4",
+		Platform:    "aws",
+		Type:        "cis",
+		RelatedResources: []string{
+			"https://www.cisecurity.org/benchmark/amazon_web_services",
+		},
+	},
+}
+
+func main() {
+	frameworks := make([]framework.Framework, 0, len(specs))
+	for f := range specs {
+		frameworks = append(frameworks, f)
+	}
+
+	for _, meta := range lo.Must(metadata.LoadDefaultChecksMetadata()) {
+		for f, controlIDs := range meta.Frameworks() {
+			if f == "default" {
+				continue
+			}
+
+			ff := framework.Framework(f)
+			spec, exists := specs[ff]
+			if !exists {
+				log.Printf("Unknown framework: %s", f)
+				continue
+			}
+
+			for _, id := range controlIDs {
+				spec.Controls = append(spec.Controls, iacTypes.Control{
+					ID:          id,
+					Name:        lo.LastOrEmpty(meta.Aliases()),
+					Description: meta.Title,
+					Severity:    iacTypes.Severity(meta.Severity()),
+					Checks:      []iacTypes.SpecCheck{{ID: meta.ID()}},
+				})
+			}
+		}
+	}
+
+	for _, spec := range specs {
+		sort.Slice(spec.Controls, func(i, j int) bool {
+			return strings.Compare(spec.Controls[i].ID, spec.Controls[j].ID) < 0
+		})
+	}
+
+	for _, c := range specs {
+		lo.Must0(writeCompliance(c, complianceDirPath))
+	}
+}
+
+func writeCompliance(spec *iacTypes.Spec, path string) error {
+	file, err := os.Create(filepath.Join(path, fmt.Sprintf("%s.yaml", spec.ID)))
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	encoder := yaml.NewEncoder(file)
+	encoder.SetIndent(2)
+	return encoder.Encode(iacTypes.ComplianceSpec{Spec: *spec})
+}
@@ -4,19 +4,19 @@ go 1.24.4
 
 require (
 	github.com/aquasecurity/trivy v0.61.1-0.20250407075540-f1329c7ea1aa
-	github.com/aws-cloudformation/rain v1.23.0
+	github.com/aws-cloudformation/rain v1.23.1
 	github.com/docker/docker v28.2.2+incompatible
-	github.com/hashicorp/hcl/v2 v2.23.0
-	github.com/open-policy-agent/opa v1.5.1
+	github.com/hashicorp/hcl/v2 v2.24.0
+	github.com/open-policy-agent/opa v1.6.0
 	github.com/owenrumney/squealer v1.2.11
 	github.com/samber/lo v1.51.0
 	github.com/stretchr/testify v1.10.0
-	github.com/testcontainers/testcontainers-go v0.37.1-0.20250602105123-1720acdcb24e
-	github.com/testcontainers/testcontainers-go/modules/registry v0.37.0
+	github.com/testcontainers/testcontainers-go v0.38.0
+	github.com/testcontainers/testcontainers-go/modules/registry v0.38.0
 	github.com/xeipuuv/gojsonschema v1.2.0
-	golang.org/x/text v0.26.0
+	golang.org/x/text v0.27.0
 	gopkg.in/yaml.v3 v3.0.1
-	mvdan.cc/sh/v3 v3.11.0
+	mvdan.cc/sh/v3 v3.12.0
 )
 
 require (
@@ -34,6 +34,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
@@ -53,7 +54,7 @@ require (
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/ebitengine/purego v0.8.2 // indirect
+	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -70,13 +71,11 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -120,7 +119,7 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.4 // indirect
+	github.com/shirou/gopsutil/v4 v4.25.5 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
@@ -133,7 +132,7 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.2 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
 	github.com/tklauser/numcpus v0.7.0 // indirect
-	github.com/vektah/gqlparser/v2 v2.5.26 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.28 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@@ -144,26 +143,26 @@ require (
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0 // indirect
 	go.opentelemetry.io/otel/metric v1.36.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/mod v0.25.0 // indirect
 	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.34.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
 	google.golang.org/grpc v1.72.2 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect