Create a PoC for moving builtin rules to rego

[lcarva]

In the previous community meeting, we talked about exploring the option of making the builtin rules more similar to other policy rules.

This issue is about creating a proof-of-concept so we can evaluate the idea further.

Proposal (as a starting point; PoC can, and likely will, deviate):

• Re-implement the builtin rules in rego.

  • image.signature_check
  • image.accessible
  • attestation.signature_check
  • attestation.syntax_check

• Embed those rego rules in the ec-cli binary.

• Modify ec validate image to inject a new policy source group into the policy config that uses the embedded builtin rules.

Considerations:

• How would this impact the report if one of the builtin policy rules fails? How does it differ from the current behavior? Maybe wider use of depends_on is necessary.
• How could someone create a policy config that explicitly includes the builtin rules? What if someone does it? Can the auto-injection detect and skip injecting them? Could someone use this as mechanism to exclude them?

Acceptance Criteria

• A PoC is created the illustrates the ideas above. This should be working code but it does not have to be perfect nor handle different use cases. Hard code things if it makes it easier.
• Demo the PoC with EC maintainers and maybe a wider audience.
• Help decide next steps. (Abandoning the idea is also a perfectly acceptable next step). File issues accordingly.

[simonbaird]

I wrote some notes about the motivation here.