Hi,
The policy source data format proposal is available and ready for
comments. The text has been submitted as a pull request on GitHub to
make the discussion easier using comments and reviews.
See
https://github.com/ComplianceAsCode/content/pull/5817
We are looking forward to seeing your feedback on GitHub.
What is it about? We will use the policy source data format to improve
development of our profiles. It will allow us to store security
controls and requirements in the repository and then define profiles
by using their IDs instead of separate rules.
This is done in order to solve the problem that there is no easy way
to demonstrate to profile stakeholders the status of their profile.
Intended workflow:
* SME identifies security controls the policy consists of. Those
controls serve as direct input for our profiles.
* SME goes through controls, and makes sure that they are sufficiently
covered by rules.
* SME fine-tunes the profile by overriding a couple of individual
rules in the profile file.
Once the format is accepted we can start developing tools that support
this new workflow.
In future, we can also use it for further refactoring, for example
streamlining the generation of HTML tables.
Best regards
--
Jan Černý
Security Technologies | Red Hat, Inc.