elastic · orouz · Jul 2, 2025 · Jul 7, 2025 · orouz · Jul 7, 2025
@@ -11,12 +11,9 @@ finding := result if {
 	data_adapter.is_cloud_resource_manager_project
 	data_adapter.has_policy
 
-	result := common.generate_result_without_expected(
-		# admin_has_other_role is an aggregation of the three checks above
-		# if an admin user has any of those other roles, the rule fails
-		common.calculate_result(admin_has_other_role == false),
-		data_adapter.iam_policy,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(admin_has_other_role == false))
+	# admin_has_other_role is an aggregation of the three checks above
+	# if an admin user has any of those other roles, the rule fails
 }
 
 # check admin is not also cryptoKeyEncrypter

@@ -9,8 +9,5 @@ finding := result if {
 
 	is_project_apikey := startswith(data_adapter.resource.data.name, "projects/")
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_project_apikey == false),
-		data_adapter.resource.data.name,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_project_apikey == false))
 }
@@ -10,10 +10,7 @@ default has_valid_apikey_restrictions := false
 finding := result if {
 	data_adapter.is_api_key
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(has_valid_apikey_restrictions == true),
-		data_adapter.resource.data,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(has_valid_apikey_restrictions == true))
 }
 
 has_valid_apikey_restrictions if {

@@ -10,10 +10,7 @@ duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours
 finding := result if {
 	data_adapter.is_api_key
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(key_created_within_last_90_days),
-		data_adapter.resource.data.createTime,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(key_created_within_last_90_days))
 }
 
 key_created_within_last_90_days if {

@@ -9,10 +9,7 @@ default has_cusomter_encrypted_key := false
 finding := result if {
 	data_adapter.is_dataproc_cluster
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(has_cusomter_encrypted_key),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(has_cusomter_encrypted_key))
 }
 
 has_cusomter_encrypted_key if {

@@ -9,12 +9,5 @@ finding := result if {
 	data_adapter.is_iam_service_account
 	data_adapter.has_policy
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(audit.is_policy_not_managed_by_user),
-		members,
-	)
-}
-
-members if {
-	input.resource.iam_policy.bindings[i].members
+	result := common.generate_evaluation_result(common.calculate_result(audit.is_policy_not_managed_by_user))
 }
@@ -26,24 +26,5 @@ finding := result if {
 	data_adapter.has_policy
 	count(service_accounts) > 0
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(audit.is_not_admin_roles(service_accounts)),
-		evidence,
-	)
-}
-
-# maps the service accounts array to an object with keys as roles and values as members
-# this makes it easier to see which service accounts has which role
-evidence := admin_roles if {
-	admin_roles := {role: members |
-		entry := service_accounts[_]
-		role := entry.role
-		members := entry.members
-		regex.match(`(.*Admin|.*admin|roles/(editor|owner))`, role)
-	}
-	count(admin_roles) > 0
-} else := {role: members |
-	entry := service_accounts[_]
-	role := entry.role
-	members := entry.members
+	result := common.generate_evaluation_result(common.calculate_result(audit.is_not_admin_roles(service_accounts)))
 }
@@ -9,10 +9,7 @@ finding := result if {
 	data_adapter.is_cloud_resource_manager_project
 	data_adapter.has_policy
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(audit.is_role_not_service_account_user),
-		roles,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(audit.is_role_not_service_account_user))
 }
 
 roles if {

@@ -9,10 +9,7 @@ duration := sprintf("%dh", [90 * 24]) # 90 days converted to hours
 finding := result if {
 	data_adapter.is_iam_service_account_key
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(key_created_within_last_90_days),
-		data_adapter.resource.data.validAfterTime,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(key_created_within_last_90_days))
 }
 
 key_created_within_last_90_days if {

@@ -25,8 +25,5 @@ finding := result if {
 
 	no_admin_with_user_role := count(members_with_both_roles) == 0
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(no_admin_with_user_role),
-		data_adapter.iam_policy,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(no_admin_with_user_role))
 }
@@ -12,8 +12,5 @@ finding := result if {
 	data_adapter.is_cloudkms_crypto_key
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(audit.resource_is_public)),
-		{"KMS key": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(audit.resource_is_public)))
 }
@@ -8,10 +8,7 @@ import future.keywords.if
 finding := result if {
 	data_adapter.is_compute_network
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_dns_logging_enabled),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_dns_logging_enabled))
 }
 
 is_dns_logging_enabled if {

@@ -8,10 +8,7 @@ finding := result if {
 	data_adapter.is_backend_service
 	data_adapter.is_https_lb
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_logging_enabled),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_logging_enabled))
 }
 
 is_logging_enabled if {

@@ -10,10 +10,7 @@ default is_retention_policy_valid := false
 finding := result if {
 	data_adapter.is_log_bucket
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_retention_policy_valid),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_retention_policy_valid))
 }
 
 is_retention_policy_valid if {

@@ -10,10 +10,7 @@ finding := result if {
 	data_adapter.is_compute_network
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_not_default_network),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_not_default_network))
 }
 
 is_not_default_network if {

@@ -9,10 +9,7 @@ import future.keywords.in
 finding := result if {
 	data_adapter.is_compute_network
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_not_legacy_network),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_not_legacy_network))
 }
 
 is_not_legacy_network if {

@@ -15,10 +15,7 @@ finding := result if {
 	data_adapter.resource.data.visibility == "PUBLIC"
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_dnssec_enabled),
-		{"Managed zone": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_dnssec_enabled))
 }
 
 is_dnssec_enabled if {

@@ -10,10 +10,7 @@ finding := result if {
 	data_adapter.is_firewall_rule
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_rule_permissive),
-		{"Firewall rule": data_adapter.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_rule_permissive))
 }
 
 is_rule_permissive := audit.is_valid_fw_rule(22) # SSH
@@ -10,10 +10,7 @@ finding := result if {
 	data_adapter.is_firewall_rule
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_rule_permissive),
-		{"Firewall rule": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_rule_permissive))
 }
 
 is_rule_permissive := audit.is_valid_fw_rule(3389) # RDP
@@ -8,10 +8,7 @@ finding := result if {
 	data_adapter.is_subnetwork
 	not_internal_https_load_balancer
 
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_flow_log_configured),
-		data_adapter.resource,
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_flow_log_configured))
 }
 
 is_flow_log_configured if {

@@ -12,8 +12,5 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(audit.sa_is_default)),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(audit.sa_is_default)))
 }
@@ -16,10 +16,7 @@ finding := result if {
 	startswith(gcp_common.get_machine_type_family(data_adapter.resource.data.machineType), "n2d-")
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_confidential_computing_enabled),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_confidential_computing_enabled))
 }
 
 is_confidential_computing_enabled := data_adapter.resource.data.confidentialInstanceConfig.enableConfidentialCompute
@@ -12,8 +12,5 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(audit.sa_is_default_with_full_access)),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(audit.sa_is_default_with_full_access)))
 }
@@ -11,10 +11,7 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_project_ssh_keys_enabled),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_project_ssh_keys_enabled))
 }
 
 is_project_ssh_keys_enabled := audit.is_instance_metadata_valid("block-project-ssh-keys", "true")
@@ -14,10 +14,7 @@ finding := result if {
 	not data_adapter.is_gke_instance(data_adapter.resource.data)
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_oslogin_enabled),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_oslogin_enabled))
 }
 
 is_oslogin_enabled := audit.is_instance_metadata_valid("enable-oslogin", "true")
@@ -12,10 +12,7 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(is_serial_port_enabled)),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(is_serial_port_enabled)))
 }
 
 is_serial_port_enabled := audit.is_instance_metadata_valid("serial-port-enable", "true")
@@ -16,10 +16,7 @@ finding := result if {
 	not data_adapter.is_gke_instance(data_adapter.resource.data)
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(is_ip_forwarding_enabled)),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(is_ip_forwarding_enabled)))
 }
 
 is_ip_forwarding_enabled := data_adapter.resource.data.canIpForward
@@ -10,10 +10,7 @@ finding := result if {
 	data_adapter.is_compute_disk
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_disk_encrypted_with_csek),
-		{"Compute instance": data_adapter.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_disk_encrypted_with_csek))
 }
 
 is_disk_encrypted_with_csek if {

@@ -10,10 +10,7 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(is_shielded_vm),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(is_shielded_vm))
 }
 
 is_shielded_vm if {

@@ -12,10 +12,7 @@ finding := result if {
 	data_adapter.is_compute_instance
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(is_publicly_exposed)),
-		{"Compute instance": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(is_publicly_exposed)))
 }
 
 is_publicly_exposed if {

@@ -12,8 +12,5 @@ finding := result if {
 	data_adapter.is_storage_bucket
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(assert.is_false(audit.resource_is_public)),
-		{"GCS Bucket": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(assert.is_false(audit.resource_is_public)))
 }
@@ -12,10 +12,7 @@ finding := result if {
 	data_adapter.is_storage_bucket
 
 	# set result
-	result := common.generate_result_without_expected(
-		common.calculate_result(rule_evaluation),
-		{"GCS Bucket": input.resource},
-	)
+	result := common.generate_evaluation_result(common.calculate_result(rule_evaluation))
 }
 
 rule_evaluation if {