refactor: rename init() to Register*() in central nist80053 complianc…

…e checks Renamed all package-level init() functions to explicit Register*() functions in 20 central nist80053 compliance check files. Created init.go to call all register functions explicitly. Deleted all.go with blank imports. This prevents automatic execution for all components in the busybox binary. Central compliance checks now only run when explicitly initialized via centralChecks.Init() in central/app/app.go. Files changed: - 20 check files: init() → Register*() (e.g., check_ac_14: RegisterAC14()) - init.go: created to call all 20 Register*() functions - all.go: deleted (blank imports no longer needed) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
stackrox · janisz · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
commit f487fd355082e89b1e95d35ba000b02a7971f2b8
diff --git a/central/compliance/checks/nist80053/all.go b/central/compliance/checks/nist80053/all.go
diff --git a/central/compliance/checks/nist80053/check_ac_14/check.go b/central/compliance/checks/nist80053/check_ac_14/check.go
@@ -106,7 +106,7 @@ func checkNoExtraPrivilegesForUnauthenticated(ctx framework.ComplianceContext) {
 	}
 }
 
-func init() {
+func RegisterAC14() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ca_9/check.go b/central/compliance/checks/nist80053/check_ca_9/check.go
@@ -12,7 +12,7 @@ const (
 	interpretationText = common.CheckNetworkPoliciesByDeploymentInterpretation
 )
 
-func init() {
+func RegisterCA9() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_11/check.go b/central/compliance/checks/nist80053/check_cm_11/check.go
@@ -70,7 +70,7 @@ func checkAllDefaultRuntimePackageManagementPoliciesEnabled(ctx framework.Compli
 	}
 }
 
-func init() {
+func RegisterCM11() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_2/check.go b/central/compliance/checks/nist80053/check_cm_2/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifeCycleInterpretation(phase)
 )
 
-func init() {
+func RegisterCM2() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_3/check.go b/central/compliance/checks/nist80053/check_cm_3/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifecycleStageEnforcedInterpretation(phase)
 )
 
-func init() {
+func RegisterCM3() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_5/check.go b/central/compliance/checks/nist80053/check_cm_5/check.go
@@ -15,7 +15,7 @@ const (
 ` + common.LimitedUsersAndGroupsWithClusterAdminInterpretation
 )
 
-func init() {
+func RegisterCM5() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_6/check.go b/central/compliance/checks/nist80053/check_cm_6/check.go
@@ -16,7 +16,7 @@ For this control, ` + common.CheckNoViolationsForDeployPhasePoliciesInterpretati
 To approve a deviation, resolve the policy violation or adjust the scope or exclusions for the policy.`
 )
 
-func init() {
+func RegisterCM6() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_7/check.go b/central/compliance/checks/nist80053/check_cm_7/check.go
@@ -19,7 +19,7 @@ For this control, StackRox validates that at least one policy is enabled and enf
   2) runtime behavior.`
 )
 
-func init() {
+func RegisterCM7() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_cm_8/check.go b/central/compliance/checks/nist80053/check_cm_8/check.go
@@ -14,7 +14,7 @@ const (
 For this control, ` + common.AllDeployedImagesHaveMatchingIntegrationsInterpretation
 )
 
-func init() {
+func RegisterCM8() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ir_4_5/check.go b/central/compliance/checks/nist80053/check_ir_4_5/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifecycleStageEnforcedInterpretation(phase)
 )
 
-func init() {
+func RegisterIR45() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ir_5/check.go b/central/compliance/checks/nist80053/check_ir_5/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifeCycleInterpretation(phase)
 )
 
-func init() {
+func RegisterIR5() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ir_6_1/check.go b/central/compliance/checks/nist80053/check_ir_6_1/check.go
@@ -15,7 +15,7 @@ const (
 For this control, StackRox checks that at least one runtime policy is set to notify at least one workflow tool.`
 )
 
-func init() {
+func RegisterIR61() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ra_3/check.go b/central/compliance/checks/nist80053/check_ra_3/check.go
@@ -13,7 +13,7 @@ const (
 For this control, StackRox checks that StackRox components are installed in each cluster, providing continuous multi-factor risk assessment.`
 )
 
-func init() {
+func RegisterRA3() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_ra_5/check.go b/central/compliance/checks/nist80053/check_ra_5/check.go
@@ -33,7 +33,7 @@ func checkNoUnresolvedAlertsForPolicies(ctx framework.ComplianceContext, policyI
 	}
 }
 
-func init() {
+func RegisterRA5() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_sa_10/check.go b/central/compliance/checks/nist80053/check_sa_10/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifeCycleInterpretation(phase)
 )
 
-func init() {
+func RegisterSA10() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_sc_6/check.go b/central/compliance/checks/nist80053/check_sc_6/check.go
@@ -16,7 +16,7 @@ const (
 For this control, StackRox checks that at least one policy requiring CPU limits and memory limits is enabled and enforced.`
 )
 
-func init() {
+func RegisterSC6() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_sc_7/check.go b/central/compliance/checks/nist80053/check_sc_7/check.go
@@ -12,7 +12,7 @@ const (
 	interpretationText = common.CheckNetworkPoliciesByDeploymentInterpretation
 )
 
-func init() {
+func RegisterSC7() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_si_2_2/check.go b/central/compliance/checks/nist80053/check_si_2_2/check.go
@@ -16,7 +16,7 @@ For this control, ` + common.AllDeployedImagesHaveMatchingIntegrationsInterpreta
 Also, ` + common.CheckAtLeastOnePolicyEnabledReferringToVulnsInterpretation
 )
 
-func init() {
+func RegisterSI22() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_si_3_8/check.go b/central/compliance/checks/nist80053/check_si_3_8/check.go
@@ -19,7 +19,7 @@ var (
 For this control, ` + common.AnyPolicyInLifeCycleInterpretation(phase)
 )
 
-func init() {
+func RegisterSI38() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/check_si_4/check.go b/central/compliance/checks/nist80053/check_si_4/check.go
@@ -38,7 +38,7 @@ func checkClusterCheckedInInThePastHour(ctx framework.ComplianceContext) {
 	}
 }
 
-func init() {
+func RegisterSI4() {
 	framework.MustRegisterNewCheck(
 		framework.CheckMetadata{
 			ID:                 controlID,

diff --git a/central/compliance/checks/nist80053/init.go b/central/compliance/checks/nist80053/init.go
@@ -0,0 +1,49 @@
+package nist80053
+
+import (
+	checkac14 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ac_14"
+	checkca9 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ca_9"
+	checkcm11 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_11"
+	checkcm2 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_2"
+	checkcm3 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_3"
+	checkcm5 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_5"
+	checkcm6 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_6"
+	checkcm7 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_7"
+	checkcm8 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_cm_8"
+	checkir45 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ir_4_5"
+	checkir5 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ir_5"
+	checkir61 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ir_6_1"
+	checkra3 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ra_3"
+	checkra5 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_ra_5"
+	checksa10 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_sa_10"
+	checksc6 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_sc_6"
+	checksc7 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_sc_7"
+	checksi22 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_si_2_2"
+	checksi38 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_si_3_8"
+	checksi4 "github.com/stackrox/rox/central/compliance/checks/nist80053/check_si_4"
+)
+
+// Init registers all central NIST 800-53 compliance checks.
+// Called explicitly from central/compliance/checks/all.go instead of package init().
+func Init() {
+	checkac14.RegisterAC14()
+	checkca9.RegisterCA9()
+	checkcm11.RegisterCM11()
+	checkcm2.RegisterCM2()
+	checkcm3.RegisterCM3()
+	checkcm5.RegisterCM5()
+	checkcm6.RegisterCM6()
+	checkcm7.RegisterCM7()
+	checkcm8.RegisterCM8()
+	checkir45.RegisterIR45()
+	checkir5.RegisterIR5()
+	checkir61.RegisterIR61()
+	checkra3.RegisterRA3()
+	checkra5.RegisterRA5()
+	checksa10.RegisterSA10()
+	checksc6.RegisterSC6()
+	checksc7.RegisterSC7()
+	checksi22.RegisterSI22()
+	checksi38.RegisterSI38()
+	checksi4.RegisterSI4()
+}