GitHub Action
IAM SARIF Report
v2.3.3
Latest version
Validate your IAM Policies and SCPs with AWS Policy Validator, and convert those results into SARIF documents for reporting.
To generate findings, iam-sarif-report makes AWS API requests. The AWS Principal you use must be allowed to use the access-analyzer:ValidatePolicy command.
{
"Effect": "Allow",
"Action": "access-analyzer:ValidatePolicy",
"Resource": "*"
}See the action.yaml for detailed usage information.
on: [push]
jobs:
example:
permissions:
id-token: write
security-events: write # When using GitHub Advanced Security
actions: read
contents: read
checks: write # When using SARIF annotator
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# setup aws access
- uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::111111111111:role/my-github-actions-role-test
aws-region: eu-west-1
# validate some policies and write a SARIF result file
- uses: georgealton/iam-sarif-report@v2
with:
policies: policies/
result: results/iam.sarif
# Public repositories and Organizations with GitHub Advanced Security
# can upload sarif files using CodeQL
- uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results
# Without GitHub Advanced Security use sarif-annotator
- uses: SirYwell/[email protected]
with:
report-path: results/iam.sarif
source: qodanapipx run iam-sarif-report tests/data/policy_checks/policies/*