Skip to content

Latest commit

 

History

History
66 lines (52 loc) · 1.78 KB

README.md

File metadata and controls

66 lines (52 loc) · 1.78 KB

IAM SARIF Report

Code style: black

Validate your IAM Policies and SCPs with AWS Policy Validator, and convert those results into SARIF documents for reporting.

Use Me

To generate findings, iam-sarif-report makes AWS API requests. The AWS Principal you use must be allowed to use the access-analyzer:ValidatePolicy command.

{
  "Effect": "Allow",
  "Action": "access-analyzer:ValidatePolicy",
  "Resource": "*"
}

GitHub Action

See the action.yaml for detailed usage information.

on: [push]
jobs:
  example:
    permissions:
      id-token: write
      security-events: write # When using GitHub Advanced Security
      actions: read
      contents: read
      checks: write # When using SARIF annotator
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      # setup aws access
      - uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::111111111111:role/my-github-actions-role-test
          aws-region: eu-west-1

      # validate some policies and write a SARIF result file
      - uses: georgealton/iam-sarif-report@v2
        with:
          policies: policies/
          result: results/iam.sarif

      # Public repositories and Organizations with GitHub Advanced Security
      # can upload sarif files using CodeQL
      - uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results

      # Without GitHub Advanced Security use sarif-annotator
      - uses: SirYwell/[email protected]
        with:
          report-path: results/iam.sarif
          source: qodana

Locally

pipx run iam-sarif-report tests/data/policy_checks/policies/*