feat: Checking policies for bad statements

Author: Halimer

cis-oci-benchmark/cis_iam_rules.rego

@@ -7,16 +7,16 @@ import input as tfplan
 bad_combo := {"allow group to manage" , "all-resources"}
 
 bad_pairs := {
-    "Allow": "manage",
-    "group": "v3-app-admin-group"
+    "com-admin": "to read all-resources",
+    # "groups": "to manage groups in tenancy"
 }
 
 bad_combination_policies contains bad_policy.address if {
     bad_policy := tfplan.resource_changes[_]
     bad_policy.type == "oci_identity_policy"
     statements := bad_policy.change.after.statements
-        some statement in statements
-            some key, value in bad_pairs
-            contains(statement, key)
-            contains(statement, value)
+    some statement in statements
+    some key, value in bad_pairs
+    contains(statement, value)
+    # contains(statement, value)
 }