Explore using OPA to evaluate compliance controls

Problem to solve

As part of the custom adherence report MVC we are evaluating the controls against against each projects and have decided to go with a custom approach due to a range of reasons as outlined here https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/compliance-adherence-reporting/decisions/003_custom_controls/

Initially GitLab will be in control of both the query and the evaluation. But as the feature scales their may be a requirement for customers to define their own queries.

Proposal

Explore using Open Policy Agent to do the evaluation and provide users with standard but more open way to build queries.

OPA's query language Rego has a playground for debugging and a linter/LSP

Workaround

Once implemented, external checks can be used for rego query evaluation tied to control definitions