Currently - we have Profile CRDs that correspond to benchmarks. For example, we ship a PCI-DSS profile that includes rules that implement automated checks for the PCI-DSS benchmark.

However, we don't have a programmatic way to determine the benchmark from the Profile data, including labels and annotations. A human reading the Profile title or description can probably infer the PCI-DSS profile is meant for the PCI-DSS benchmark, but it's harder for machines to do this without making an assumption and using regular expressions to parse something that looks like a benchmark name out of the profile title and description.

This story is to track the work necessary to add a new annotation to the Profile CRD that contains the benchmark as a string.

For example, in the Rule CRD we use "control.compliance.openshift.io/PCI-DSS" as an annotation to denote applicable controls. We could elaborate on this by adding a "benchmark.compliance.openshift.io": "PCI-DSS" annotation to the profile, which would associate the two in a programmatic way.

However, we may need to update the annotation to support versions (e.g., "PCI-DSS-3.2.1", "PCI-DSS-4.0.0", or "CIS-OCP-1.5.0"), since not all versions of a benchmark are going to have consistent control mappings across versions.

This will be necessary for ACS to traverse from ComplianceCheckResults to the Benchmark. Or, in other words, render the applicable controls for a result or rule.