Move the CEL fields out of the rule.yml

Keeps the fields pertainint to CEL scanning engine separate from the
rule.yml, which can remain agnostic.
This facilitates the implementation of templates later on.

'scanner_type' is completely removed from rules, and inferred by
presence of 'cel' directory or presence of 'expression' and 'input'
keys.

Author: yuumasato

.claude/CLAUDE.md

@@ -158,14 +158,22 @@ template:
         pkgname@ubuntu2204: avahi-daemon    # Platform-specific overrides
 ```
 
-## CEL Rules (Kubernetes/OpenShift)
+## CEL Checking Engine (Kubernetes/OpenShift)
 
-CEL (Common Expression Language) rules provide native Kubernetes resource evaluation without requiring shell access or OVAL checks. CEL rules are used by the compliance-operator for Kubernetes and OpenShift compliance scanning.
+CEL (Common Expression Language) provides native Kubernetes resource evaluation without requiring shell access or OVAL checks. Rules using the CEL checking engine are used by the compliance-operator for Kubernetes and OpenShift compliance scanning.
 
-**Important:** CEL rules are **excluded** from XCCDF/OVAL DataStreams and are generated as a separate `${PRODUCT}-cel-content.yaml` file.
+**Important:** Rules with CEL checks are **excluded** from XCCDF/OVAL DataStreams and are generated as a separate `${PRODUCT}-cel-content.yaml` file.
 
-### Required Fields for CEL Rules
+### Rule Structure for CEL Checks
 
+Rules using CEL checks use a **split-file structure** to separate metadata from CEL-specific content:
+
+- **`rule.yml`** - Contains metadata (title, description, rationale, severity, references, etc.)
+- **`cel/shared.yml`** - Contains CEL-specific fields (check_type, inputs, expression)
+
+This allows rules to support **both CEL and OVAL** checks during migration from OVAL to CEL.
+
+**Example rule.yml:**
 ```yaml
 documentation_complete: true
 
@@ -179,8 +187,20 @@ rationale: |-
 
 severity: medium
 
-scanner_type: CEL           # REQUIRED: Marks this as a CEL rule
+ocil: |-                   # Optional: Manual check instructions
+    Run the following command:
+    <pre>$ oc get pods</pre>
+
+failure_reason: |-          # Optional: Custom failure message
+    The resource is not properly configured.
+
+references:                # Optional: Same as regular rules
+    cis@ocp4: 1.2.3
+    nist: CM-6
+```
 
+**Example cel/shared.yml:**
+```yaml
 check_type: Platform        # Usually Platform for K8s checks
 
 expression: |-             # REQUIRED: CEL expression (must evaluate to boolean)
@@ -193,19 +213,10 @@ inputs:                    # REQUIRED: Kubernetes resources to evaluate
       resource: pods
       resource_name: my-pod          # Optional: specific resource
       resource_namespace: default    # Optional: specific namespace
-
-ocil: |-                   # Optional: Manual check instructions
-    Run the following command:
-    <pre>$ oc get pods</pre>
-
-failure_reason: |-          # Optional: Custom failure message
-    The resource is not properly configured.
-
-references:                # Optional: Same as regular rules
-    cis@ocp4: 1.2.3
-    nist: CM-6
 ```
 
+**Note:** The build system automatically detects rules with CEL checks by the presence of the `cel/` directory.
+
 ### CEL Expression Examples
 
 Simple boolean check:
@@ -228,7 +239,7 @@ expression: |-
 
 ### CEL Profile Format
 
-Profiles that use CEL rules must have `scannerType: CEL`:
+Profiles that select rules using CEL checks must have `scanner_type: CEL`:
 
 ```yaml
 documentation_complete: true
@@ -238,14 +249,16 @@ title: 'CIS VM Extension Benchmark'
 description: |-
     Profile description.
 
-scanner_type: CEL    # REQUIRED: Marks this as a CEL profile
+scanner_type: CEL    # REQUIRED: Marks this as a CEL profile (excluded from XCCDF)
 
 selections:
     - kubevirt-nonroot-feature-gate-is-enabled
     - kubevirt-no-permitted-host-devices
 ```
 
-**Note:** CEL profiles can only select CEL rules and are excluded from XCCDF generation.
+**Note:** 
+- Profiles use `scanner_type: CEL` to indicate they target the CEL checking engine and should be excluded from XCCDF/datastream builds.
+- A rule can have both `cel/` (for CEL checks) and `template:` (for OVAL checks) to support both checking engines during migration.
 
 **Important:** Use hyphens rule IDs (Kubernetes naming convention), not underscores.
 

applications/openshift-virtualization/kubevirt-enforce-trusted-tls-registries/cel/shared.yml

@@ -0,0 +1,13 @@
+check_type: Platform
+
+inputs:
+  - name: hco
+    kubernetes_input_spec:
+      api_version: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+      resource_name: kubevirt-hyperconverged
+      resource_namespace: openshift-cnv
+
+expression: |-
+  !has(hco.spec.storageImport) ||
+  hco.spec.storageImport.insecureRegistries.size() == 0

applications/openshift-virtualization/kubevirt-enforce-trusted-tls-registries/rule.yml

@@ -30,19 +30,3 @@ ocil: |-
     Run the following command to check for insecure registries:
     <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.storageImport.insecureRegistries}'</pre>
     The output should be empty or the field should not exist.
-
-check_type: Platform
-
-scanner_type: CEL
-
-inputs:
-  - name: hco
-    kubernetes_input_spec:
-      api_version: hco.kubevirt.io/v1beta1
-      resource: hyperconvergeds
-      resource_name: kubevirt-hyperconverged
-      resource_namespace: openshift-cnv
-
-expression: |-
-  !has(hco.spec.storageImport) ||
-  hco.spec.storageImport.insecureRegistries.size() == 0

applications/openshift-virtualization/kubevirt-no-permitted-host-devices/cel/shared.yml

@@ -0,0 +1,22 @@
+check_type: Platform
+
+inputs:
+  - name: hcoList
+    kubernetes_input_spec:
+      api_version: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      !has(h.spec.permittedHostDevices) ||
+      h.spec.permittedHostDevices == null ||
+      (has(h.spec.permittedHostDevices.pciHostDevices) && size(h.spec.permittedHostDevices.pciHostDevices) == 0) &&
+      (has(h.spec.permittedHostDevices.mediatedDevices) && size(h.spec.permittedHostDevices.mediatedDevices) == 0)
+  )

applications/openshift-virtualization/kubevirt-no-permitted-host-devices/rule.yml

@@ -33,28 +33,3 @@ ocil: |-
     Run the following command to check the HyperConverged configuration:
     <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.permittedHostDevices}'</pre>
     The output should be empty or show empty lists for both <tt>pciHostDevices</tt> and <tt>mediatedDevices</tt>.
-
-check_type: Platform
-
-scanner_type: CEL
-
-inputs:
-  - name: hcoList
-    kubernetes_input_spec:
-      api_version: hco.kubevirt.io/v1beta1
-      resource: hyperconvergeds
-
-expression: |
-  hcoList.items.filter(h,
-      h.metadata.name == 'kubevirt-hyperconverged' &&
-      h.metadata.namespace == 'openshift-cnv'
-  ).size() == 1 &&
-  hcoList.items.filter(h,
-      h.metadata.name == 'kubevirt-hyperconverged' &&
-      h.metadata.namespace == 'openshift-cnv'
-  ).all(h,
-      !has(h.spec.permittedHostDevices) ||
-      h.spec.permittedHostDevices == null ||
-      (has(h.spec.permittedHostDevices.pciHostDevices) && size(h.spec.permittedHostDevices.pciHostDevices) == 0) &&
-      (has(h.spec.permittedHostDevices.mediatedDevices) && size(h.spec.permittedHostDevices.mediatedDevices) == 0)
-  )

applications/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory/cel/shared.yml

@@ -0,0 +1,15 @@
+check_type: Platform
+
+inputs:
+  - name: vms
+    kubernetes_input_spec:
+      api_version: kubevirt.io/v1
+      resource: VirtualMachine
+
+expression: |
+  vms.all(h,
+      !has(h.spec.template.spec.domain.resources) ||
+      !has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) ||
+      (has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) &&
+       h.spec.template.spec.domain.resources.overcommitGuestOverhead == false)
+  )

applications/openshift-virtualization/kubevirt-no-vms-overcommitting-guest-memory/rule.yml

@@ -32,21 +32,3 @@ ocil: |-
     Run the following command to check VirtualMachine configurations:
     <pre>$ oc get virtualmachines -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"/"}{.metadata.name}{": "}{.spec.template.spec.domain.resources.overcommitGuestOverhead}{"\n"}{end}'</pre>
     Make sure no VirtualMachine has <tt>overcommitGuestOverhead</tt> set to <tt>true</tt>.
-
-check_type: Platform
-
-scanner_type: CEL
-
-inputs:
-  - name: vms
-    kubernetes_input_spec:
-      api_version: kubevirt.io/v1
-      resource: VirtualMachine
-
-expression: |
-  vms.all(h,
-      !has(h.spec.template.spec.domain.resources) ||
-      !has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) ||
-      (has(h.spec.template.spec.domain.resources.overcommitGuestOverhead) &&
-       h.spec.template.spec.domain.resources.overcommitGuestOverhead == false)
-  )

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/cel/shared.yml

@@ -0,0 +1,21 @@
+check_type: Platform
+
+inputs:
+  - name: hcoList
+    kubernetes_input_spec:
+      api_version: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      has(h.spec.featureGates) &&
+      has(h.spec.featureGates.nonRoot) &&
+      h.spec.featureGates.nonRoot == true
+  )

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/rule.yml

@@ -30,27 +30,3 @@ ocil: |-
     Run the following command to check the feature gate configuration:
     <pre>$ oc get hyperconverged kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.featureGates.nonRoot}'</pre>
     The output should be <tt>true</tt>.
-
-check_type: Platform
-
-scanner_type: CEL
-
-inputs:
-  - name: hcoList
-    kubernetes_input_spec:
-      api_version: hco.kubevirt.io/v1beta1
-      resource: hyperconvergeds
-
-expression: |
-  hcoList.items.filter(h,
-      h.metadata.name == 'kubevirt-hyperconverged' &&
-      h.metadata.namespace == 'openshift-cnv'
-  ).size() == 1 &&
-  hcoList.items.filter(h,
-      h.metadata.name == 'kubevirt-hyperconverged' &&
-      h.metadata.namespace == 'openshift-cnv'
-  ).all(h,
-      has(h.spec.featureGates) &&
-      has(h.spec.featureGates.nonRoot) &&
-      h.spec.featureGates.nonRoot == true
-  )

applications/openshift-virtualization/kubevirt-persistent-reservation-disabled/cel/shared.yml

@@ -0,0 +1,21 @@
+check_type: Platform
+
+inputs:
+  - name: hcoList
+    kubernetes_input_spec:
+      api_version: hco.kubevirt.io/v1beta1
+      resource: hyperconvergeds
+
+expression: |
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).size() == 1 &&
+  hcoList.items.filter(h,
+      h.metadata.name == 'kubevirt-hyperconverged' &&
+      h.metadata.namespace == 'openshift-cnv'
+  ).all(h,
+      has(h.spec.featureGates) &&
+      has(h.spec.featureGates.persistentReservation) &&
+      h.spec.featureGates.persistentReservation == false
+  )