Report tests and their relationship to CIS compliance

[garretfick]

As a user, viewing the output from a cloudsploit, I would like to be able to see if rules violate particular compliance standards, such as CIS, so that I can report compliance levels, focus on rules I care most about and ignore rules I care less about.

I'm creating this issue because I'm willing to implement annotating rules with compliance information, if that would desirable to the maintainers here. If that isn't of interest, then I would avoid this).

I see two ways to achieve this:
a. add new items in the "compliance" member
b. add IDs to rules (plugins) and and externalize the compliance information

My proposal is (b) because it would give a way for anyone to add compliance information, including industry/domain specific rules without modifying this repo. Then assuming (b)

1. For each rule, add a new unique ID attribute, for example elbHttpsOnly rule ID would be "elb-https-only" (snake case)
2. Create a new "compliance" set that maps rule names to a data structure that describes how the rule maps to the compliance rule.

[garretfick]

Small update. I started looking at this today and found that there are in IDs (there are a number of large maps). With that, I was able to get a working solution taking approach (b) and adding CIS rules for CIS. I would like to know if there if there is interest in such a change.

[garretfick]

This request is now a pull request
#160
We are happy and active to integrate additional changes into that branch if it helps other projects