refactor: update rule generation process and enhance profileDataRequi…

[matthyx]

…red definitions

Summary by CodeRabbit

• Chores

  • Streamlined the rule generation and build workflow

• Updates

  • Rules now explicitly declare required profile data, including syscall execution tracking, network egress monitoring, file access patterns, and system capability usage
  • Adjusted profile dependency levels in rule configurations

• Documentation

  • Updated generation instructions in project README

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces a Make target generate-rules-crd to wrap the existing shell script invocation and updates all references (CI workflow, README documentation) to use this target. Additionally, it adds explicit profileDataRequired declarations to multiple rule configurations to specify which application profile data (syscalls, capabilities, executions, DNS/network egress, file opens) is required for each rule's evaluation, with R1006 also having its profile dependency adjusted from level 2 to 1.

Changes

Cohort / File(s)	Summary
Build & Workflow Integration .github/workflows/test.yml, Makefile, README.md	Adds generate-rules-crd Make target as the standard entrypoint for rule generation and updates all references (workflow step, README sections) to use make generate-rules-crd instead of direct script invocation.
Rule Configuration Updates pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml, rules-crd.yaml	Adds profileDataRequired blocks across multiple rules declaring explicit profile data dependencies (syscalls, capabilities, executions, egress domains/addresses, file-open patterns). For R1006, also adjusts profileDependency from 2 to 1 and specifies required unshare syscall.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• kubescape/rulelibrary#30: Modifies rule YAMLs to add/adjust profileDataRequired entries and updates CI/Makefile/README tooling integration for rule generation and linting.

Poem

🐰 With Make's new target, rules now stand so tall,
Profile data declared, requirements and all!
From syscalls to shadows, each rule knows its need,
A garden of logic planted with care and with speed! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: refactoring the rule generation process and enhancing profileDataRequired definitions, which align with the actual modifications across workflow, Makefile, README, and rule files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-r1006

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/test.yml (1)

55-56: ⚡ Quick win

Add a drift check after CRD generation

After Line 56, consider failing the job if rules-crd.yaml changes, so stale generated artifacts don’t slip through PRs.

Suggested CI tweak

-    - name: Generate Rules CRD
-      run: make generate-rules-crd
+    - name: Generate Rules CRD
+      run: |
+        make generate-rules-crd
+        git diff --exit-code -- rules-crd.yaml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yml around lines 55 - 56, Add a new CI step after the
"Generate Rules CRD" step that runs the same generator (or compares the
generated file) and fails the job if rules-crd.yaml was modified: create a step
named something like "Check rules-crd drift" that runs a git diff check (e.g.,
git diff --quiet -- rules-crd.yaml || (echo "rules-crd.yaml is out of date" &&
git --no-pager diff -- rules-crd.yaml && exit 1)) so the workflow will error
when the generated rules-crd.yaml changes; reference the existing
generate-rules-crd invocation to place this check immediately after it.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/test.yml:
- Around line 55-56: Add a new CI step after the "Generate Rules CRD" step that
runs the same generator (or compares the generated file) and fails the job if
rules-crd.yaml was modified: create a step named something like "Check rules-crd
drift" that runs a git diff check (e.g., git diff --quiet -- rules-crd.yaml ||
(echo "rules-crd.yaml is out of date" && git --no-pager diff -- rules-crd.yaml
&& exit 1)) so the workflow will error when the generated rules-crd.yaml
changes; reference the existing generate-rules-crd invocation to place this
check immediately after it.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebbd56fa-c9a5-42b0-8b97-2a3617a87891

📥 Commits

Reviewing files that changed from the base of the PR and between 7db50ed and cce0b0e.

📒 Files selected for processing (5)

• .github/workflows/test.yml
• Makefile
• README.md
• pkg/rules/r1006-unshare-syscall/unshare-syscall.yaml
• rules-crd.yaml