Skip to content

Validate your IAM Policies and SCPs with AWS Policy Validator, and convert those results into SARIF documents for reporting.

License

Notifications You must be signed in to change notification settings

georgealton/iam-sarif-report

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

IAM SARIF Report

Code style: black

Validate your IAM Policies and SCPs with AWS Policy Validator, and convert those results into SARIF documents for reporting.

Use Me

To generate findings, iam-sarif-report makes AWS API requests. The AWS Principal you use must be allowed to use the access-analyzer:ValidatePolicy command.

{
  "Effect": "Allow",
  "Action": "access-analyzer:ValidatePolicy",
  "Resource": "*"
}

GitHub Action

See the action.yaml for detailed usage information.

on: [push]
jobs:
  example:
    permissions:
      id-token: write
      security-events: write # When using GitHub Advanced Security
      actions: read
      contents: read
      checks: write # When using SARIF annotator
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      # setup aws access
      - uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::111111111111:role/my-github-actions-role-test
          aws-region: eu-west-1

      # validate some policies and write a SARIF result file
      - uses: georgealton/iam-sarif-report@v2
        with:
          policies: policies/
          result: results/iam.sarif

      # Public repositories and Organizations with GitHub Advanced Security
      # can upload sarif files using CodeQL
      - uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results

      # Without GitHub Advanced Security use sarif-annotator
      - uses: SirYwell/[email protected]
        with:
          report-path: results/iam.sarif
          source: qodana

Locally

pipx run iam-sarif-report tests/data/policy_checks/policies/*