IAM SARIF Report

Validate your IAM Policies and SCPs with AWS Policy Validator, and convert those results into SARIF documents for reporting.

Use Me

To generate findings, iam-sarif-report makes AWS API requests. The AWS Principal you use must be allowed to use the access-analyzer:ValidatePolicy command.

{
  "Effect": "Allow",
  "Action": "access-analyzer:ValidatePolicy",
  "Resource": "*"
}

GitHub Action

See the action.yaml for detailed usage information.

on: [push]
jobs:
  example:
    permissions:
      id-token: write
      security-events: write # When using GitHub Advanced Security
      actions: read
      contents: read
      checks: write # When using SARIF annotator
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      # setup aws access
      - uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: arn:aws:iam::111111111111:role/my-github-actions-role-test
          aws-region: eu-west-1

      # validate some policies and write a SARIF result file
      - uses: georgealton/iam-sarif-report@v2
        with:
          policies: policies/
          result: results/iam.sarif

      # Public repositories and Organizations with GitHub Advanced Security
      # can upload sarif files using CodeQL
      - uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results

      # Without GitHub Advanced Security use sarif-annotator
      - uses: SirYwell/sarif-annotator@v0.2.1
        with:
          report-path: results/iam.sarif
          source: qodana

Locally

pipx run iam-sarif-report tests/data/policy_checks/policies/*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IAM SARIF Report

Tags

IAM SARIF Report

Use Me

GitHub Action

Locally

Contributors (3)

Resources

About

Tags

Contributors (3)

Resources

IAM SARIF Report

Use Me

GitHub Action

Locally

Contributors3 (3)

Resources

About

Tags

Contributors3 (3)

Resources

Contributors (3)

Contributors (3)