Tracee-rules: dispatchEvents as a pipeline?

[AlonZivony]

I looked at the code of the engine in tracee-rules while working on adding some pipeline myself to the events channel from tracee-ebpf to the signatures.
I saw that dispatch events check for each event if to parse the event to OPA, and do it if configured to. This is done for each signature, which means that each event is parsed n amount of times, where n is the amount of signatures.
Wouldn't it be better to just add it as a pipeline if configured before the events are distributed for each signature so it will add logic only if configured to, and only once per event?

[itaysk]

It didn't use to be the case. It seems that https://github.com/aquasecurity/tracee/pull/984/files moved it from the input source loop (one parse per event) to the dispatch (one parse per signature). WDYT @simar7 @danielpacak ?

[danielpacak]

Definitely we should do it once no matter how many signatures are there. If that's not the case it's a regression.