Skip to content

remove evidence field from CIS GCP #3429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

remove evidence field from CIS GCP #3429

wants to merge 2 commits into from

Conversation

orouz
Copy link
Collaborator

@orouz orouz commented Jul 2, 2025
edited
Loading

Summary of your changes

this PR removes the result.evidence field from all CIS GCP rules by omitting it from the rego rules. the motivation for this is to reduce raw findings size. regardless, as seen in the changed files, majority of the rules already send the entire resource as the evidence, and since that resource is already available as resource.raw we can just point to it in kibana instead of duplicating it.

findings count and size were checked with:

  • POST logs-cloud_security_posture.findings-default/_count
  • GET _cat/indices/logs-cloud_security_posture.findings-default?v&h=index,store.size
before (main) after
count 1322 1322
size 1126.4kb 914.3kb

this makes the default findings index about 18.83% smaller

Related Issues

@mergify Mergify
Copy link

mergify bot commented Jul 2, 2025

This pull request does not have a backport label. Could you fix it @orouz? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@mergify mergify bot assigned orouz Jul 2, 2025
orouz
orouz commented Jul 7, 2025
View reviewed changes
security-policies/bundle/compliance/cis_gcp/rules/cis_1_17/rule.rego
common.calculate_result(has_cusomter_encrypted_key),
data_adapter.resource,
)
result := common.generate_evaluation_result(common.calculate_result(has_cusomter_encrypted_key))
}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the common theme in this PR - replace generate_result_without_expected with generate_evaluation_result which results in sending an object with just evaluation field instead of a one including evidence too

@orouz orouz marked this pull request as ready for review July 7, 2025 07:56
@orouz orouz requested a review from a team as a code owner July 7, 2025 07:56
@orouz orouz requested a review from uri-weisman July 7, 2025 07:57
uri-weisman
uri-weisman approved these changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@uri-weisman uri-weisman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

  1. Before merging please verify that this PR didn't change the number of failed/passed findings for the same dataset.
  2. Merge is blocked on the corresponding Kibana PR.

@uri-weisman
Copy link
Contributor

@orouz should it be backported to 9.1.0?

@orouz
Copy link
Collaborator Author

orouz commented Jul 9, 2025

@orouz should it be backported to 9.1.0?

generally speaking, yeah. but that's in June 24, which isn't so far from now, and i'm waiting to see the customer feedback before merging this to main or any backports.

@orouz orouz mentioned this pull request Jul 9, 2025
Open
@olegsu
Copy link
Collaborator

olegsu commented Jul 21, 2025

Should also to backport to 9.x?

@uri-weisman
Copy link
Contributor

@olegsu

Should also to backport to 9.x?

We agreed to backport to the next patch versions (8.19.1 and 9.1.1) as we want more time to be assure those changes didn't introduce issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uri-weisman uri-weisman uri-weisman approved these changes

Assignees

@orouz orouz

Labels
backport-v8.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@orouz @uri-weisman @olegsu