Add framework references to controls for Prometheus metrics

Open Copilot opened this issue 2 months ago • 0 comments

Controls in the exported controls.json lacked framework membership information, preventing Kubescape from including framework labels in Prometheus metrics. This made it impossible to filter metrics by framework in Grafana and other observability tools.

Changes

Export process: Added frameworks field to each control during export, containing a sorted list of all frameworks that include the control
Error handling: Added validation for missing framework names and control IDs with appropriate logging
Testing: Added test_export_framework_references.py to validate framework references are correctly populated
Documentation: Updated README to document the auto-generated frameworks field

Example

Before:

{
  "controlID": "C-0056",
  "name": "Configured liveness probe",
  "baseScore": 4.0
}

After:

{
  "controlID": "C-0056",
  "name": "Configured liveness probe",
  "frameworks": ["AllControls", "DevOpsBest"],
  "baseScore": 4.0
}

This enables metrics like:

kubescape_control_complianceScore{name="Configured liveness probe",framework="DevOpsBest"} 50

The CSV mapping file (FWName_CID_CName.csv) continues to be generated for backward compatibility.

[!WARNING]

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/repos/kubernetes/kubernetes/releases

Triggering command: /usr/bin/python3 python3 scripts/validations.py -stringintconv -tests /tmp/go-build2199229742/b1091/vet.cfg kg_.a elemetry.io/cont-ifaceassert ux_amd64/vet OUTPUT /internal/future-atomic 168.63.129.16 ux_amd64/vet -o F_4oDsPWb .cfg ux_amd64/vet b.go g/grpc/credentia-atomic -lang=go1.21 ux_amd64/vet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

This section details on the original issue you should resolve

<issue_title>Include reference to frameworks in security controls metrics</issue_title> <issue_description>## Overview Currently, when exposing the kubescape results as prometheus-like metrics using the v1/metrics endpoint, the results regarding framework controls don't have any reference to the framework they belong.

Only CIS-ones show something in the name that can identify them. See examples below:
kubescape_control_complianceScore{name="Configured liveness probe",severity="Medium",link="https://hub.armosec.io/docs/c-0056"} 50
kubescape_control_complianceScore{name="CIS-4.2.13 Ensure that a limit is set on pod PIDs",severity="Low",link="https://hub.armosec.io/docs/c-0284"} 0
Problem

When graphing these results in tools like Grafana, is difficult to tell to which framework the control belongs.

Solution

Include either a reference in the name, or another variable related to the framework. </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes kubescape/regolibrary#693

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Dec 05 '25 09:12 Copilot