Enable spellchecking on policies (#47)

Also sync config with cnspec-policies repo

Signed-off-by: Tim Smith <[email protected]>

.github/actions/spelling/allow.txt

@@ -1 +0,0 @@
-

.github/actions/spelling/expect.txt

@@ -0,0 +1,10 @@
+cea
+CUSTOMERID
+ipaddress
+macaddress
+mpim
+nicconfig
+saas
+usergroups
+wmic
+xoxp

.github/actions/spelling/line_forbidden.patterns

@@ -1,17 +1,42 @@
 # Detect common combinations of valid words that are in fact invalid. 
 # Useful for brand capitalizations
 
+#
+# Industry Terms
+#
+
+# s.b. Side scanning
+\bSidescanning\b
+\bsidescanning\b
+
 # s.b. DevOps
 \bDev Ops\b
 \bDevops\b
 
 # s.b. SaaS
 \bSaas\b
-\bsaas\b
+# \bsaas\b disabled here due to false positives
+
+# s.b. REST API
+\bRest API\b
+\brest API\b
+\brest api\b
 
 # s.b. DevSecOps
 \bDevsecops\b
 
+#
+# Product Names
+#
+
+# s.b. macOS
+\bOS X\b
+\bMacOS\b
+\bMac OS\b
+
+# s.b. Elasticsearch
+\bElasticSearch\b
+
 # s.b. DocuSign
 \bDocu Sign\b
 
@@ -26,6 +51,10 @@
 \bMongo DB\b
 \bMongoDb\b
 
+# s.b. MySQL
+\bMysql\b
+\bMySql\b
+
 # s.b. OpenStack
 \bOpen Stack\b
 \bOpenstack\b
@@ -58,18 +87,233 @@
 # s.b. GitLab
 \bGitlab\b
 
-# s.b. EventBridge
-\bEventbridge\b
-
-# s.b. CloudWatch
-\bCloudwatch\b
-
 # s.b. JavaScript
 \bJavascript\b
 
 # s.b. Microsoft
 \bMicroSoft\b
 
+#
+# AWS Products
+#
+
+# s.b. App2Container
+\bApp2container\b
+
+# s.b. AppFlow
+\bAppflow\b
+
+# s.b. AppSync
+\bAppsync\b
+
+# s.b. CloudEnsure
+\bCloudensure\b
+
+# s.b. CloudFormation
+\bCloudformation\b
+
+# s.b. CloudFront
+\bCloudfront\b
+
+# s.b. CloudHSM
+\bCloudHsm\b
+\bCloudhsm\b
+
+# s.b. CloudSearch
+\bCloudsearch\b
+
+# s.b. CloudShell
+\bCloudshell\b
+
+# s.b. CloudTrail
+\bCloudtrail\b
+
+# s.b. CloudWatch
+\bCloudwatch\b
+
+# s.b. CodeArtifact
+\bCodeartifact\b
+
+# s.b. CodeBuild
+\bCodebuild\b
+
+# s.b. CodeCommit
+\bCodecommit\b
+
+# s.b. CodeDeploy
+\bCodedeploy\b
+
+# s.b. CodeGuru
+\bCodeguru\b
+
+# s.b. CodePipeline
+\bCodepipeline\b
+
+# s.b. CodeStar
+\bCodestar\b
+
+# s.b. Copilot
+\bCoPilot\b
+
+# s.b. DeepRacer
+\bDeepracer\b
+
+# s.b. DocumentDB
+\bDocument DB\b
+\bDocumentDb\b
+
+# s.b. DynamoDB
+\bDynamo DB\b
+\bDynamoDb\b
+
+# s.b. ElastiCache
+\bElasticache\b
+
+# s.b. EventBridge
+\bEventbridge\b
+
+# s.b. Fargate
+\bFarGate\b
+
+# s.b. FinSpace
+\bFinSpace\b
+
+# s.b. FSx
+\bFSX\b
+
+# s.b. GameLift
+\bGamelift\b
+
+# s.b. GuardDuty
+\bGuardduty\b
+
+# s.b. Honeycode
+\bHoneyCode\b
+
+# s.b. Lightsail
+\bLightSail\b
+
+# s.b. MXNet
+\bMxnet\b
+\bMXnet\b
+
+# s.b. OpenSearch
+\bOpensearch\b
+
+# s.b. OpenShift
+\bOpenshift\b
+
+# s.b. PrivateLink
+\bPrivatelink\b
+
+# s.b. QuickSight
+\bQuicksight\b
+
+# s.b. Redshift
+\bRedShift\b
+
+# s.b. RoboMaker
+\bRobomaker\b
+
+# s.b. Route 53
+\bRoute53\b
+
+# s.b. SageMaker
+\bSagemaker\b
+
+# s.b. SiteWise
+\bSitewise\b
+
+# s.b. WorkDocs
+\bWorkdocs\b
+
+# s.b. WorkMail
+\bWorkmail\b
+
+#
+# GCP Products
+#
+
+# s.b. Pub/Sub
+\bPubSub\b
+
+# s.b. Cloud SQL
+\bCloudSQL\b
+
+# s.b. Cloud CDN
+\bCloudCDN\b
+
+# s.b. Cloud Functions
+\bCloud functions\b
+
+# s.b. Vertex AI
+\bVertexAI\b
+
+# s.b. Dialogflow
+\bDialogFlow\b
+
+# s.b. Dataplex
+\bDataPlex\b
+
+# s.b. BigLake
+\bBig Lake\b
+
+# s.b. AlloyDB
+\bAlloy DB\b
+
+# s.b. Firestore
+\bFireStore\b
+
+# s.b. Datastream
+\bDataStream\b
+\bData Stream\b
+
+# s.b. Memorystore
+\bMemoryStore\b
+\bMemory Store\b
+
+# s.b. TensorFlow
+\bTensor Flow\b
+
+# s.b. AppEngine
+\bApp Engine\b
+
+# s.b. AppEngine
+\bApp Engine\b
+
+# s.b. Compute Engine
+\bComputeEngine\b
+\bCompute engine\b
+
+# s.b. VMware Engine
+\bVMware engine\b
+\bVMWare Engine\b
+
+# s.b. Knative
+\bKNative\b
+
+# s.b. BigQuery
+\bBig Query\b
+
+# s.b. Cloud Build
+\bCloudBuild\b
+\bCloud build\b
+
+# s.b. Cloud Run
+\bCloudRun\b
+\bCloud run\b
+
+#
+# Azure Products
+#
+
+# s.b. Key Vault
+\bKey vault\b
+
+#
+# Common Typos
+#
+
 # s.b. another
 \ban[- ]other\b
 

.github/actions/spelling/only.txt

@@ -1 +1,2 @@
 \.md$
+\.mql.yaml$

.github/actions/spelling/patterns.txt

@@ -3,10 +3,6 @@
 # acceptable duplicates
 # ls directory listings
 [-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+
-# C types
-\s(long|LONG) \g{-1}\s
-# javadoc / .net
-(?:[\\@](?:groupname|param)|(?:public|private)(?:\s+static|\s+readonly)*)\s+(\w+)\s+\g{-1}\s
 
 # Commit message -- Signed-off-by and friends
 ^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$
@@ -18,16 +14,38 @@
 \b([A-Za-z])\g{-1}{3,}\b
 
 # ignore funky space IDs that blow up spell checking
-\.api\.mondoo\.app\/spaces\/.*
+api\.mondoo\.app\/space.*\b
+console\.mondoo\.com\/space.*\b
 
 # azure subscription ID
 [0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}
 
 # docker container
-[a-z,0-9]{12}
+\b[a-z,0-9]{12}\b
 
 # URLs in markdown links / images
 ]\(.*\)
 
 # Azure Key Vault Vault. It feels wrong, but it's technically right
 Key Vault Vault
+
+# luna containers in scan output
+\bluna/.*\b
+
+# this comes up in permissions and is valid
+\broot root\b
+
+# AWS resources
+(ami|subnet|vpc|sg)-[0-9a-fA-F]{17}
+
+# http and https URLs
+https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)
+
+# registry key paths
+HKEY_[\w\\]*
+
+# skip mql uids
+uid:\s.*$
+
+# ARNs
+arn:aws\S*

.github/actions/spelling/reject.txt

@@ -1,3 +1,4 @@
+ad-hoc
 ^attache$
 benefitting
 occurences?
@@ -8,3 +9,5 @@ Sorce
 ^untill$
 ^untilling$
 ^wether.*
+\w*(?<!right-)click
+press

.github/workflows/lint.yaml

@@ -1,10 +1,11 @@
-name: Lint Pack
+---
+name: Lint Packs
 
 on:
+  pull_request:
   push:
     branches:
       - main
-  pull_request:
 
 jobs:
   build: