Don't short-circuit checks (one issue can in some cases hide additional findings)

[0xjjoyy]

Use Case
I have a IAM Policy with say invalid service name "servicedoesntexist", invalid action "iamactiondoesntexists" and invalid condition key "conditionkeydoesntexist".

Observed Output
Parliament returns on the first finding invalid service "UNKNOWN_PREFIX" and returns a single finding.

Desired Output
Parliament continues and identifies all three findings. This way we can catch all issues with the IAM Policy in the pipeline, rather than iteratively updating and deploying to the pipeline to find each error.

[0xdabbad00]

This is a hard problem, but is an important one, because for example, if you mute the finding for UNKNOWN_PREFIX, you will think your policy is fine, because that finding has resulted in the other findings being hidden because Parliament can't proceed with other checks until that one is resolved.

I think in a generic sense, this a hard problem to deal with because right now, by the time I get to each check, I assume that everything else about the policy is basically correct. Breaking that assumption could make things a lot more complicated, but I think in specific cases, such as the issues indicated, it may be possible without too much complexity.

[dgubitosi]

The UNKNOWN_* findings should not be muted, but they also should not abort the rest of the evaluation. They are not severe errors. They are no worse than a RESOURCE_MISMATCH. If changing this behavior may affect other projects, then maybe this should be an option.