add missing paths

rules/exec-into-container/raw.rego

@@ -61,6 +61,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("the following %v: %v, can exec into  containers", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
 		"alertObject": {
@@ -95,6 +96,7 @@ deny[msga] {
     msga := {
 		"alertMessage": sprintf("the following %v: %v, can exec into  containers", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
   		"alertObject": {

rules/image-pull-policy-is-not-set-to-always/raw.rego

@@ -11,6 +11,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in pod: %v  has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 2,
+		"reviewPaths": paths,
 		"failedPaths": paths,
 		"fixPaths":[],
 		"alertObject": {
@@ -30,6 +31,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in %v: %v  has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 2,
+		"reviewPaths": paths,
 		"failedPaths": paths,
 		"fixPaths":[],
 		"alertObject": {
@@ -48,6 +50,7 @@ deny[msga] {
 		"alertMessage": sprintf("container: %v in cronjob: %v  has 'latest' tag on image but imagePullPolicy is not set to 'Always'", [container.name, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 2,
+		"reviewPaths": paths,
 		"failedPaths": paths,
 		"fixPaths":[],
 		"alertObject": {

rules/immutable-container-filesystem/raw.rego

@@ -70,8 +70,8 @@ deny[msga] {
 # Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec
 is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath]  {
 	container.securityContext.readOnlyRootFilesystem == false
-	failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)])
-	fixPath = ""
+	fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]), "value": "true"}
+	failed_path = ""
  }
 
  is_mutable_filesystem(container, start_of_path, i)  = [failed_path, fixPath] {

rules/immutable-container-filesystem/test/workloads/expected.json

@@ -1,7 +1,10 @@
 [{
     "alertMessage": "container :mysql in Deployment: my-deployment has  mutable filesystem",
-    "failedPaths": ["spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem"],
-    "fixPaths": [],
+    "failedPaths": [],
+    "fixPaths": [{
+        "path": "spec.template.spec.containers[0].securityContext.readOnlyRootFilesystem",
+        "value": "true"
+    }],
     "ruleStatus": "",
     "packagename": "armo_builtins",
     "alertScore": 7,

rules/rule-can-impersonate-users-groups/raw.rego

@@ -53,6 +53,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("the following %v: %v,  can impersonate users", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
 		"alertObject": {
@@ -85,6 +86,7 @@ deny[msga] {
     msga := {
 		"alertMessage": sprintf("the following %v: %v, can impersonate users", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
   		"alertObject": {

rules/rule-can-list-get-secrets/raw.rego

@@ -59,6 +59,7 @@ deny[msga] {
 	    "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]),
 		"alertScore": 9,
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
        "failedPaths": [path],
           "alertObject": {
 			"k8sApiObjects": [role,rolebinding],
@@ -91,6 +92,7 @@ deny[msga] {
 	    "alertMessage": sprintf("The following %v: %v can read secrets", [subject.kind, subject.name]),
 		"alertScore": 9,
 		"packagename": "armo_builtins",
+		"deletePaths": [path],
        "failedPaths": [path],
         "alertObject": {
 			"k8sApiObjects": [role,clusterrolebinding],

rules/rule-can-portforward/raw.rego

@@ -53,6 +53,7 @@ deny[msga] {
 	msga := {
 		"alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
 		"alertObject": {
@@ -85,6 +86,7 @@ deny[msga] {
     msga := {
 		"alertMessage": sprintf("the following %v: %v, can do port forwarding", [subject.kind, subject.name]),
 		"alertScore": 9,
+		"deletePaths": [path],
 		"failedPaths": [path],
 		"packagename": "armo_builtins",
   		"alertObject": {

rules/rule-can-ssh-to-pod/raw.rego

@@ -49,6 +49,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [path],
 		"failedPaths": [path],
         "alertObject": {
 			"k8sApiObjects": [wl,service]
@@ -72,6 +73,7 @@ deny[msga] {
 		"alertMessage": sprintf("%v: %v is exposed by SSH services: %v", [wl.kind, wl.metadata.name, service]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
+		"deletePaths": [path],
 		"failedPaths": [path],
         "alertObject": {
 			"k8sApiObjects": [wl,service]

rules/rule-can-update-configmap/raw.rego

@@ -71,6 +71,7 @@ deny[msga] {
     	msga := {
 	     "alertMessage": sprintf("The following %v: %v can modify 'coredns' configmap", [subject.kind, subject.name]),
 		"alertScore": 6,
+		"deletePaths": [path],
          "failedPaths": [path],
 		"packagename": "armo_builtins",
           "alertObject": {
@@ -112,6 +113,7 @@ deny[msga] {
     	msga := {
 	     "alertMessage": sprintf("The following %v: %v can modify 'coredns'  configmap", [subject.kind, subject.name]),
 		"alertScore": 6,
+		"deletePaths": [path],
          "failedPaths": [path],
 		"packagename": "armo_builtins",
           "alertObject": {

rules/rule-credentials-in-env-var/raw.rego

@@ -55,6 +55,7 @@
 			"alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]),
 			"alertScore": 9,
 			"fixPaths": [],
+			"deletePaths": [path],
 			"failedPaths": [path],
 			"packagename": "armo_builtins",
 			"alertObject": {
@@ -86,6 +87,7 @@
 			"alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]),
 			"alertScore": 9,
 			"fixPaths": [],
+			"deletePaths": [path],
 			"failedPaths": [path],
 			"packagename": "armo_builtins",
 			"alertObject": {
@@ -116,6 +118,7 @@ deny[msga] {
 			"alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]),
 			"alertScore": 9,
 			"fixPaths": [],
+			"deletePaths": [path],
 			"failedPaths": [path],
 			"packagename": "armo_builtins",
 			"alertObject": {
@@ -147,6 +150,7 @@ deny[msga] {
 			"alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]),
 			"alertScore": 9,
 			"fixPaths": [],
+			"deletePaths": [path],
 			"failedPaths": [path],
 			"packagename": "armo_builtins",
 			"alertObject": {
@@ -176,6 +180,7 @@ deny[msga] {
 			"alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]),
 			"alertScore": 9,
 			"fixPaths": [],
+			"deletePaths": [path],
 			"failedPaths": [path],
 			"packagename": "armo_builtins",
 			"alertObject": {