feat(rules): Add Framework object for structured compliance metadata #2335
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduce a Framework dataclass to link rules to compliance frameworks (CIS, NIST, etc.) with structured fields for filtering and querying. - Add Framework class with case-insensitive matching (name, short_name, requirement, scope, revision) - Add Rule.frameworks tuple and Rule.has_framework() method - Add CLI --framework filter option (e.g., --framework CIS:aws:5.0) - Add 'frameworks' command to list all compliance frameworks - Add filter_rules_by_framework() and get_all_frameworks() in runners - Expose rule_tags and rule_frameworks in RuleResult - Migrate all CIS rules to use Framework objects - Auto-select all rules when --framework is provided without rule arg Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 13 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="cartography/rules/data/rules/cis_aws_networking.py">
<violation number="1" location="cartography/rules/data/rules/cis_aws_networking.py:107">
P2: The `cis:aws-5.0` tag was removed from this rule, but no `Framework` object was added to replace it. Since `unrestricted_all_ports` explicitly references `CIS_REFERENCES`, it implies this rule is part of the CIS benchmark (or at least related).
If this rule is part of the framework, it must be migrated to use the `Framework` object (like the other rules in this file) to be discoverable via the new `--framework` CLI filter. If it is *not* part of the framework, consider removing `CIS_REFERENCES` to avoid confusion.</violation>
</file>
<file name="tests/unit/rules/test_runners.py">
<violation number="1" location="tests/unit/rules/test_runners.py:46">
P2: The tests update `mock_rule` with `tags` and `frameworks`, but do not verify that these values are correctly propagated to the `RuleResult`.
(Based on your team's feedback about ensuring tests exercise the change they claim to validate.) [FEEDBACK_USED]</violation>
</file>
<file name="cartography/rules/data/rules/cis_google_workspace.py">
<violation number="1" location="cartography/rules/data/rules/cis_google_workspace.py:96">
P2: The scope 'google_workspace' is inconsistent with the standard module identifier 'googleworkspace' used in `Module.GOOGLEWORKSPACE`, previous tags (e.g., `cis:googleworkspace-1.4`), and the internal `MODULE_TO_CARTOGRAPHY_INTEL` mapping.
Using the standard identifier 'googleworkspace' ensures consistency across CLI filters, internal metadata, and potential downstream consumers.
(Note: Tests asserting this scope string may also need updates.)</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
- Fix scope inconsistency: change 'google_workspace' to 'googleworkspace' to match Module.GOOGLEWORKSPACE identifier - Add tests to verify tags and frameworks are correctly propagated to RuleResult Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
kunaals
approved these changes
Feb 4, 2026
Collaborator
kunaals
left a comment
kunaals
left a comment
There was a problem hiding this comment.
this seems great! one small nit: might be good to add details about Frameworks in the create-rule.md doc
| """ | ||
| List all compliance frameworks referenced by rules. | ||
|
|
||
| \b |
Collaborator
There was a problem hiding this comment.
i think extra character got left behind
Collaborator
Author
There was a problem hiding this comment.
\b is the Typer/Click literal block marker.
Add documentation for the new Framework dataclass that provides structured compliance metadata for rules. Updates include: - New "Compliance Frameworks" section explaining the Framework object - CLI filtering examples with --framework option - Updated CIS conventions to use Framework instead of cis:* tags - Added Framework to Essential Imports - Updated complete CIS example with Framework usage Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> Signed-off-by: Jeremy Chapeau <jeremy@subimage.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Summary
This PR introduces a
Frameworkdataclass to link rules to compliance frameworks (CIS, NIST, etc.) with structured fields for filtering and querying.Key changes:
name,short_name,requirement,scope, andrevisionfields. All fields are normalized to lowercase for case-insensitive comparison.frameworkstuple.--framework/-ffilter option forlistandruncommandsframeworkscommand to list all compliance frameworks--frameworkis provided without a rule argumentget_all_frameworks()andfilter_rules_by_framework()for programmatic filtering.rule_tagsandrule_frameworksfor downstream consumers.Example usage:
How was this tested?
make test_unit- 483 tests passedmake test_lint- All checks passed--frameworkfilterChecklist
General
make lint).Proof of functionality
Notes for reviewers
This 'tag' approach for linking to a Framework was chosen (rather than the old composition system where a rule only existed for one framework) to offer maximum flexibility and reusability.
This design follows the existing pattern in the codebase and enables downstream systems like SubImage to build rule collections based on compliance frameworks.