PyPI - iam-policy-validator - Versions diffs - 1.0.3__py3-none-any.whl → 1.1.0__py3-none-any.whl - Mend

iam-policy-validator 1.0.3py3-none-any.whl → 1.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of iam-policy-validator might be problematic. Click here for more details.

Files changed (20) hide show

{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/METADATA +210 -436
{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/RECORD +20 -18
iam_validator/__version__.py +1 -1
iam_validator/checks/action_condition_enforcement.py +112 -28
iam_validator/checks/security_best_practices.py +103 -12
iam_validator/commands/validate.py +7 -5
iam_validator/core/cli.py +26 -9
iam_validator/core/config_loader.py +39 -3
iam_validator/core/defaults.py +304 -0
iam_validator/core/formatters/__init__.py +2 -0
iam_validator/core/formatters/console.py +44 -7
iam_validator/core/formatters/csv.py +7 -2
iam_validator/core/formatters/enhanced.py +428 -0
iam_validator/core/formatters/html.py +127 -37
iam_validator/core/formatters/markdown.py +10 -2
iam_validator/core/models.py +30 -6
iam_validator/core/report.py +104 -25
{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/entry_points.txt +0 -0
{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/licenses/LICENSE +0 -0

{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.0.3
+Version: 1.1.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -40,7 +40,7 @@ Requires-Dist: types-boto3; extra == 'dev'
 Requires-Dist: types-pyyaml; extra == 'dev'
 Description-Content-Type: text/markdown
-# IAM Validator
+# IAM Policy Validator
 A high-performance GitHub Action and Python CLI tool that validates AWS IAM policies for correctness and security by checking against the official AWS Service Reference API.
@@ -70,7 +70,8 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 - **Comment Updates**: Update existing comments instead of creating duplicates
 ### Output Formats
-- **Console**: Rich terminal output with colors and tables
+- **Console** (default): Clean terminal output with colors and tables
+- **Enhanced**: Modern visual output with progress bars, tree structure, and rich visuals
 - **JSON**: Structured format for programmatic processing
 - **Markdown**: GitHub-flavored markdown for PR comments
 - **SARIF**: GitHub code scanning integration format
@@ -85,9 +86,13 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 ## Quick Start
-### As a GitHub Action
+### As a GitHub Action (Recommended) ⭐
-#### Option 1: Basic Validation (Custom Checks Only)
+The IAM Policy Validator is available as **both** a standalone GitHub Action and a Python module. Choose the approach that best fits your needs:
+#### **Option A: Standalone GitHub Action** (Recommended - Zero Setup)
+Use the published action directly - it handles all setup automatically:
 Create `.github/workflows/iam-policy-validator.yml`:
@@ -108,38 +113,29 @@ jobs:
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install uv
-        uses: astral-sh/setup-uv@v3
-      - name: Install dependencies
-        run: uv sync
+        uses: actions/checkout@v5
       - name: Validate IAM Policies
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          uv run iam-validator validate \
-            --path ./policies/ \
-            --github-comment \
-            --github-review \
-            --fail-on-warnings
+        uses: boogy/iam-policy-validator@v1
+        with:
+          path: policies/
+          post-comment: true
+          create-review: true
+          fail-on-warnings: true
 ```
-#### Option 2: Sequential Validation (Recommended) ⭐
+**Benefits:**
+- ✅ Zero setup - action handles Python, uv, and dependencies
+- ✅ Automatic dependency caching
+- ✅ Simple, declarative configuration
+- ✅ Perfect for CI/CD workflows
-Run AWS Access Analyzer first, then custom checks if it passes:
+#### With AWS Access Analyzer (Standalone Action)
+Use AWS's official policy validation service:
 ```yaml
-name: Sequential IAM Policy Validation
+name: IAM Policy Validation with Access Analyzer
 on:
   pull_request:
@@ -156,7 +152,7 @@ jobs:
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -164,53 +160,28 @@ jobs:
           role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
           aws-region: us-east-1
-      - name: Set up Python
-        uses: actions/setup-python@v5
+      - name: Validate with Access Analyzer
+        uses: boogy/iam-policy-validator@v1
         with:
-          python-version: '3.12'
-      - name: Install uv
-        uses: astral-sh/setup-uv@v3
-      - name: Install dependencies
-        run: uv sync
-      - name: Sequential Validation
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_REPOSITORY: ${{ github.repository }}
-          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Posts 2 separate PR comments:
-          # 1. Access Analyzer results (immediate)
-          # 2. Custom validation (only if Access Analyzer passes)
-          uv run iam-validator analyze \
-            --path ./policies/ \
-            --github-comment \
-            --run-all-checks \
-            --github-review \
-            --fail-on-warnings
+          path: policies/
+          use-access-analyzer: true
+          run-all-checks: true
+          post-comment: true
+          create-review: true
+          fail-on-warnings: true
 ```
-**Why Sequential Validation?**
-- ✅ Access Analyzer validates first (fast, official AWS validation)
-- ✅ If errors found, stops immediately (saves time)
-- ✅ Only runs custom checks if Access Analyzer passes
-- ✅ Two separate PR comments for clear separation
-#### Option 3: Multiple Paths
+#### **Option B: As Python Module/CLI Tool**
-Validate policies across multiple directories and files:
+For advanced use cases or when you need more control:
 ```yaml
-name: Multi-Path IAM Policy Validation
+name: IAM Policy Validation (CLI)
 on:
   pull_request:
     paths:
-      - 'iam/**/*.json'
-      - 's3-policies/**/*.json'
-      - 'lambda-policies/**/*.json'
+      - 'policies/**/*.json'
 jobs:
   validate:
@@ -221,12 +192,12 @@ jobs:
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.12'
+          python-version: '3.13'
       - name: Install uv
         uses: astral-sh/setup-uv@v3
@@ -234,24 +205,29 @@ jobs:
       - name: Install dependencies
         run: uv sync
-      - name: Validate Multiple Paths
+      - name: Validate IAM Policies
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_REPOSITORY: ${{ github.repository }}
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           uv run iam-validator validate \
-            --path ./iam/ \
-            --path ./s3-policies/ \
-            --path ./lambda-policies/special-policy.json \
+            --path ./policies/ \
             --github-comment \
             --github-review \
-            --fail-on-warnings
+            --fail-on-warnings \
+            --log-level info
 ```
-#### Option 4: Custom Policy Checks in GitHub Actions
+**Use this when you need:**
+- Advanced CLI options (e.g., `--log-level`, `--custom-checks-dir`, `--stream`)
+- Full control over the Python environment
+- Integration with existing Python workflows
+- Multiple validation commands in sequence
+#### Custom Policy Checks (Standalone Action)
-Use custom policy checks to enforce specific security requirements:
+Enforce specific security requirements:
 ```yaml
 name: IAM Policy Security Validation
@@ -262,7 +238,7 @@ on:
       - 'policies/**/*.json'
 jobs:
-  validate-with-custom-checks:
+  validate-security:
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -271,7 +247,7 @@ jobs:
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -281,7 +257,7 @@ jobs:
       # Prevent dangerous actions
       - name: Check for Dangerous Actions
-        uses: boogy/iam-policy-auditor@v1
+        uses: boogy/iam-policy-validator@v1
         with:
           path: policies/
           use-access-analyzer: true
@@ -291,7 +267,7 @@ jobs:
       # Check S3 bucket policies for public access
       - name: Check S3 Public Access
-        uses: boogy/iam-policy-auditor@v1
+        uses: boogy/iam-policy-validator@v1
         with:
           path: s3-policies/
           use-access-analyzer: true
@@ -309,7 +285,7 @@ jobs:
           path: baseline
       - name: Check for New Access
-        uses: boogy/iam-policy-auditor@v1
+        uses: boogy/iam-policy-validator@v1
         with:
           path: policies/role-policy.json
           use-access-analyzer: true
@@ -318,46 +294,152 @@ jobs:
           fail-on-warnings: true
 ```
-See [examples/github-actions/](examples/github-actions/) for more workflow examples including resource policies, multi-region validation, and custom policy checks.
+---
+### Choosing the Right Approach
+| Feature               | Standalone Action        | Python Module/CLI                                                        |
+| --------------------- | ------------------------ | ------------------------------------------------------------------------ |
+| Setup Required        | None - fully automated   | Manual (Python, uv, dependencies)                                        |
+| Configuration         | YAML inputs              | CLI arguments                                                            |
+| Advanced Options      | Limited to action inputs | Full CLI access (`--log-level`, `--custom-checks-dir`, `--stream`, etc.) |
+| Custom Checks         | Via config file only     | Via config file or `--custom-checks-dir`                                 |
+| Best For              | CI/CD, simple workflows  | Development, advanced workflows, testing                                 |
+| Dependency Management | Automatic                | Manual                                                                   |
+**Recommendation:** Use the **Standalone Action** for production CI/CD workflows, and the **Python Module/CLI** for development, testing, or when you need advanced features.
+#### Multiple Paths (Standalone Action)
+Validate policies across multiple directories:
+```yaml
+- name: Validate Multiple Paths
+  uses: boogy/iam-policy-validator@v1
+  with:
+    path: |
+      iam/
+      s3-policies/
+      lambda-policies/special-policy.json
+    post-comment: true
+    fail-on-warnings: true
+```
+#### Custom Configuration
+Use a custom configuration file to customize validation rules:
+```yaml
+name: IAM Policy Validation with Custom Config
+on:
+  pull_request:
+    paths:
+      - 'policies/**/*.json'
+      - '.iam-validator.yaml'
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+      - name: Validate with Custom Config
+        uses: boogy/iam-policy-validator@v1
+        with:
+          path: policies/
+          config-file: .iam-validator.yaml
+          post-comment: true
+          create-review: true
+          fail-on-warnings: true
+```
+**Example `.iam-validator.yaml`:**
+```yaml
+settings:
+  fail_fast: false
+  enable_builtin_checks: true
+# Custom check configurations
+security_best_practices_check:
+  enabled: true
+  wildcard_action_check:
+    enabled: true
+    severity: high
+action_condition_enforcement_check:
+  enabled: true
+  severity: critical
+  action_condition_requirements:
+    - actions:
+        - "iam:PassRole"
+      severity: critical
+      required_conditions:
+        - condition_key: "iam:PassedToService"
+```
+See [default-config.yaml](default-config.yaml) for a complete configuration example.
+### GitHub Action Inputs
+| Input                         | Description                                                            | Required | Default           |
+| ----------------------------- | ---------------------------------------------------------------------- | -------- | ----------------- |
+| `path`                        | Path(s) to IAM policy file or directory (newline-separated)            | Yes      | -                 |
+| `config-file`                 | Path to custom configuration file (iam-validator.yaml)                 | No       | ""                |
+| `fail-on-warnings`            | Fail validation if warnings are found                                  | No       | `false`           |
+| `post-comment`                | Post validation results as PR comment                                  | No       | `true`            |
+| `create-review`               | Create line-specific review comments on PR                             | No       | `true`            |
+| `format`                      | Output format (console, enhanced, json, markdown, sarif, csv, html)    | No       | `console`         |
+| `output-file`                 | Path to save output file                                               | No       | ""                |
+| `recursive`                   | Recursively search directories for policy files                        | No       | `true`            |
+| `use-access-analyzer`         | Use AWS IAM Access Analyzer for validation                             | No       | `false`           |
+| `access-analyzer-region`      | AWS region for Access Analyzer                                         | No       | `us-east-1`       |
+| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `IDENTITY_POLICY` |
+| `run-all-checks`              | Run custom checks after Access Analyzer                                | No       | `false`           |
+| `check-access-not-granted`    | Actions that should NOT be granted (space-separated)                   | No       | ""                |
+| `check-access-resources`      | Resources to check with check-access-not-granted                       | No       | ""                |
+| `check-no-new-access`         | Path to baseline policy to compare against                             | No       | ""                |
+| `check-no-public-access`      | Check that resource policies do not allow public access                | No       | `false`           |
+| `public-access-resource-type` | Resource type(s) for public access check                               | No       | `AWS::S3::Bucket` |
+See [examples/github-actions/](examples/github-actions/) for more workflow examples.
 ### As a CLI Tool
+Install and use locally for development:
 ```bash
-# Clone and install
-git clone https://github.com/boogy/iam-policy-auditor.git
-cd iam-policy-auditor
-uv sync
+# Install from PyPI
+pip install iam-policy-validator
+# Or install with pipx (recommended for CLI tools)
+pipx install iam-policy-validator
 # Validate a single policy
-uv run iam-validator validate --path policy.json
+iam-validator validate --path policy.json
 # Validate all policies in a directory
-uv run iam-validator validate --path ./policies/
+iam-validator validate --path ./policies/
-# Validate multiple paths (files and directories)
-uv run iam-validator validate --path policy1.json --path ./policies/ --path ./more-policies/
+# Validate multiple paths
+iam-validator validate --path policy1.json --path ./policies/ --path ./more-policies/
 # Generate JSON output
-uv run iam-validator validate --path ./policies/ --format json --output report.json
-# Post validation results to a PR with line-specific comments
-uv run iam-validator validate --path ./policies/ --github-comment --github-review
-# Two-step workflow: generate report, then post to PR
-uv run iam-validator validate --path ./policies/ --format json --output report.json
-uv run iam-validator post-to-pr --report report.json
+iam-validator validate --path ./policies/ --format json --output report.json
 # Validate with AWS IAM Access Analyzer
-uv run iam-validator analyze --path policy.json
+iam-validator analyze --path policy.json
 # Analyze with specific region and profile
-uv run iam-validator analyze --path policy.json --region us-west-2 --profile my-profile
-# Post Access Analyzer results to PR
-uv run iam-validator analyze --path policy.json --github-comment
+iam-validator analyze --path policy.json --region us-west-2 --profile my-profile
-# Sequential validation: Access Analyzer → Custom Checks (if AA passes)
-uv run iam-validator analyze \
+# Sequential validation: Access Analyzer → Custom Checks
+iam-validator analyze \
   --path policy.json \
   --github-comment \
   --run-all-checks \
@@ -374,18 +456,18 @@ Verify that policies do NOT grant specific actions (max 100 actions, 100 resourc
 ```bash
 # Check that policies don't grant dangerous S3 actions
-uv run iam-validator analyze \
+iam-validator analyze \
   --path ./policies/ \
   --check-access-not-granted s3:DeleteBucket s3:DeleteObject
-# Scope to specific resources (wildcards only in resource ID portion)
-uv run iam-validator analyze \
+# Scope to specific resources
+iam-validator analyze \
   --path ./policies/ \
   --check-access-not-granted s3:PutObject \
   --check-access-resources "arn:aws:s3:::production-bucket/*"
 # Prevent privilege escalation
-uv run iam-validator analyze \
+iam-validator analyze \
   --path ./policies/ \
   --check-access-not-granted \
     iam:CreateAccessKey \
@@ -397,17 +479,17 @@ uv run iam-validator analyze \
 #### 2. CheckNoNewAccess - Validate Policy Updates
-Ensure policy changes don't grant new permissions (both policies must be same type):
+Ensure policy changes don't grant new permissions:
 ```bash
 # Compare updated policy against baseline
-uv run iam-validator analyze \
+iam-validator analyze \
   --path ./new-policy.json \
   --check-no-new-access ./old-policy.json
 # In CI/CD - compare against main branch
 git show main:policies/policy.json > baseline-policy.json
-uv run iam-validator analyze \
+iam-validator analyze \
   --path policies/policy.json \
   --check-no-new-access baseline-policy.json
 ```
@@ -416,39 +498,25 @@ uv run iam-validator analyze \
 #### 3. CheckNoPublicAccess - Prevent Public Exposure
-Validate that resource policies don't allow public access (RESOURCE_POLICY only, 29+ resource types):
+Validate that resource policies don't allow public access (29+ resource types):
 ```bash
 # Check S3 bucket policies
-uv run iam-validator analyze \
+iam-validator analyze \
   --path ./bucket-policy.json \
   --policy-type RESOURCE_POLICY \
   --check-no-public-access \
   --public-access-resource-type "AWS::S3::Bucket"
-# Check Lambda function policies
-uv run iam-validator analyze \
-  --path ./lambda-policy.json \
-  --policy-type RESOURCE_POLICY \
-  --check-no-public-access \
-  --public-access-resource-type "AWS::Lambda::Function"
-# Check KMS key policies
-uv run iam-validator analyze \
-  --path ./kms-policy.json \
-  --policy-type RESOURCE_POLICY \
-  --check-no-public-access \
-  --public-access-resource-type "AWS::KMS::Key"
-# Check multiple resource types at once
-uv run iam-validator analyze \
+# Check multiple resource types
+iam-validator analyze \
   --path ./resource-policies/ \
   --policy-type RESOURCE_POLICY \
   --check-no-public-access \
   --public-access-resource-type "AWS::S3::Bucket" "AWS::Lambda::Function" "AWS::SNS::Topic"
 # Check ALL 29 resource types
-uv run iam-validator analyze \
+iam-validator analyze \
   --path ./resource-policies/ \
   --policy-type RESOURCE_POLICY \
   --check-no-public-access \
@@ -464,17 +532,11 @@ uv run iam-validator analyze \
 - **API**: API Gateway REST API
 - **DevOps**: CodeArtifact Domain, Backup Vault, CloudTrail
-See [docs/custom-policy-checks.md](docs/custom-policy-checks.md) for complete documentation and examples.
+See [docs/custom-policy-checks.md](docs/custom-policy-checks.md) for complete documentation.
 ### As a Python Package
-```bash
-# Install from PyPI (once published)
-pip install iam-policy-validator
-# Or install from source
-pip install git+https://github.com/boogy/iam-policy-auditor.git
-```
+Use as a library in your Python applications:
 ```python
 import asyncio
@@ -496,82 +558,6 @@ async def main():
 asyncio.run(main())
 ```
-## Memory Management & Performance
-### Streaming Mode (Recommended for Large Policy Sets)
-The validator supports two processing modes:
-#### 1. **Batch Mode (Default)**
-Loads all policies into memory at once. Best for:
-- Small to medium policy sets (< 100 files)
-- When you need the full summary upfront
-- Local development
-#### 2. **Streaming Mode** (`--stream`)
-Processes policies one-by-one. Best for:
-- Large policy sets (100+ files)
-- CI/CD environments (auto-enabled)
-- Limited memory environments
-- Progressive feedback (see results as they come)
-```bash
-# Enable streaming mode explicitly
-uv run iam-validator validate --path ./policies/ --stream
-# Streaming mode with GitHub PR comments (posts per-file reviews progressively)
-uv run iam-validator validate \
-  --path ./policies/ \
-  --stream \
-  --github-comment \
-  --github-review
-```
-**Streaming Benefits:**
-- ✅ **Lower Memory Usage**: Only one policy in memory at a time
-- ✅ **Progressive Feedback**: See results immediately as files are processed
-- ✅ **Partial Results**: Get results even if later files fail
-- ✅ **Better CI/CD Experience**: GitHub PR comments appear progressively
-- ✅ **Auto-enabled in CI**: Automatically detects CI environment
-**File Size Limits:**
-- Default max file size: 100MB per policy file
-- Files exceeding limit are skipped with a warning
-- Prevents memory exhaustion from unexpectedly large files
-### GitHub Action Memory Optimization
-The GitHub Action automatically uses streaming mode in CI environments:
-```yaml
-- name: Validate Large Policy Set
-  run: |
-    # Streaming is auto-enabled in CI
-    uv run iam-validator validate \
-      --path ./policies/ \
-      --github-comment \
-      --github-review
-```
-## Configuration
-### GitHub Action Inputs
-| Input              | Description                                                 | Required | Default |
-| ------------------ | ----------------------------------------------------------- | -------- | ------- |
-| `path`             | Path(s) to IAM policy file or directory (newline-separated) | Yes      | -       |
-| `fail-on-warnings` | Fail validation if warnings are found                       | No       | `false` |
-| `post-comment`     | Post validation results as PR comment                       | No       | `true`  |
-| `create-review`    | Create line-specific review comments on PR                  | No       | `true`  |
-### Environment Variables
-For GitHub integration:
-- `GITHUB_TOKEN`: GitHub API token (automatically provided in GitHub Actions)
-- `GITHUB_REPOSITORY`: Repository in format `owner/repo`
-- `GITHUB_PR_NUMBER`: Pull request number
 ## Validation Checks
 ### 1. Action Validation
@@ -664,156 +650,6 @@ Run 2: Finds 3 issues → Deletes old 5 comments → Posts 3 new comments + upda
 Result: PR always shows current state, no stale comments
 ```
-### Post PR Comments
-Automatically posts validation results as PR comments:
-```python
-async with GitHubIntegration() as github:
-    await github.post_comment(validation_report)
-```
-### Line-Specific Comments
-Add comments to specific lines in policy files:
-```python
-comments = [
-    {
-        "path": "policies/policy.json",
-        "line": 5,
-        "body": "Invalid action detected here",
-    }
-]
-await github.create_review_with_comments(comments)
-```
-### Manage Labels
-Add or remove labels based on validation results:
-```python
-# Add labels
-await github.add_labels(["iam-policy", "security-review"])
-# Remove labels
-await github.remove_label("needs-review")
-# Set labels (replaces all existing)
-await github.set_labels(["approved", "security-validated"])
-```
-### Set Commit Status
-Update commit status based on validation:
-```python
-await github.set_commit_status(
-    state="success",  # or "error", "failure", "pending"
-    context="IAM Policy Validator",
-    description="All policies validated successfully"
-)
-```
-## CLI Usage
-### Analyze Command (AWS IAM Access Analyzer)
-The `analyze` command uses AWS IAM Access Analyzer's ValidatePolicy API to validate IAM policies. This provides AWS's official policy validation with detailed findings about errors, security warnings, and suggestions.
-**New in latest version:** Post results to GitHub PRs and run sequential validation (Access Analyzer → Custom Checks).
-**Prerequisites**: You need AWS credentials configured. The tool will use the standard AWS credential chain (environment variables, AWS profile, IAM role, etc.).
-```bash
-iam-validator analyze --path PATH [OPTIONS]
-Options:
-  --path PATH, -p PATH          Path to IAM policy file or directory (required)
-  --format {console,json,markdown}
-                                Output format (default: console)
-  --output OUTPUT, -o OUTPUT    Output file path (only for json/markdown)
-  --region REGION, -r REGION    AWS region for Access Analyzer (default: us-east-1)
-  --policy-type {IDENTITY_POLICY,RESOURCE_POLICY,SERVICE_CONTROL_POLICY}
-                                Type of IAM policy to validate (default: IDENTITY_POLICY)
-  --profile PROFILE             AWS profile name to use for credentials
-  --github-comment              Post Access Analyzer results as GitHub PR comment
-  --run-all-checks              Run full validation if Access Analyzer passes
-  --github-review               Add line-specific review comments (requires --run-all-checks)
-  --no-recursive                Don't recursively search directories
-  --fail-on-warnings            Fail validation if warnings are found
-  --verbose, -v                 Enable verbose logging
-```
-**Examples**:
-```bash
-# Analyze a single identity policy
-iam-validator analyze --path policy.json
-# Analyze an S3 bucket policy (resource policy)
-iam-validator analyze --path bucket-policy.json --policy-type RESOURCE_POLICY
-# Analyze multiple paths
-iam-validator analyze --path ./iam/ --path ./s3-policies/ --path bucket-policy.json
-# Analyze with specific AWS profile and region
-iam-validator analyze --path policy.json --profile prod --region us-west-2
-# Post Access Analyzer results to PR
-iam-validator analyze --path policy.json --github-comment
-# Sequential validation: Run Access Analyzer, then custom checks if it passes
-iam-validator analyze \
-  --path policy.json \
-  --github-comment \
-  --run-all-checks \
-  --github-review
-# Generate JSON output
-iam-validator analyze --path ./policies/ --format json --output analyzer-report.json
-# Fail on any finding (including warnings and suggestions)
-iam-validator analyze --path policy.json --fail-on-warnings
-```
-**Access Analyzer Finding Types**:
-- **ERROR**: Syntax errors or invalid policy elements that prevent the policy from working
-- **SECURITY_WARNING**: Security issues that should be addressed
-- **WARNING**: Best practice violations or potential issues
-- **SUGGESTION**: Recommendations for policy improvements
-### Validate Command
-```bash
-iam-validator validate --path PATH [OPTIONS]
-Options:
-  --path PATH, -p PATH          Path to IAM policy file or directory (required)
-  --format {console,json,markdown}
-                                Output format (default: console)
-  --output OUTPUT, -o OUTPUT    Output file path (only for json/markdown)
-  --no-recursive                Don't recursively search directories
-  --fail-on-warnings            Fail validation if warnings are found
-  --github-comment              Post validation results as GitHub PR comment
-  --github-review               Create line-specific review comments (requires --github-comment)
-  --verbose, -v                 Enable verbose logging
-```
-### Post-to-PR Command
-```bash
-iam-validator post-to-pr --report REPORT [OPTIONS]
-Options:
-  --report REPORT, -r REPORT    Path to JSON report file (required)
-  --create-review               Create line-specific review comments (default: true)
-  --no-review                   Don't create line-specific review comments
-  --add-summary                 Add summary comment (default: true)
-  --no-summary                  Don't add summary comment
-  --verbose, -v                 Enable verbose logging
-```
 ## Example Output
 ### Console Output
@@ -857,68 +693,6 @@ Options:
   - 💡 Suggestion: This grants full administrative access. Restrict to specific actions and resources.
 ```
-## Development
-### Project Structure
-```
-iam-policy-auditor/
-├── action.yaml                          # GitHub Action definition
-├── pyproject.toml                       # Python project configuration
-├── iam_validator/                       # Main Python package
-│   ├── iam_validator/
-│   │   ├── __init__.py
-│   │   ├── models.py                   # Pydantic models
-│   │   ├── aws_fetcher.py              # AWS Service Reference API client
-│   │   ├── github_integration.py       # GitHub API client
-│   │   ├── cli.py                      # CLI interface
-│   │   ├── utils.py                    # Utility functions
-│   │   └── core/
-│   │       ├── policy_loader.py        # Policy file loader
-│   │       ├── policy_checks.py        # Validation logic
-│   │       └── report.py               # Report generation
-│   └── pyproject.toml
-└── examples/
-    ├── sample_policy.json              # Valid example
-    └── invalid_policy.json             # Invalid example
-```
-### Running Tests
-```bash
-cd iam-policy-validator
-uv run pytest
-```
-### Type Checking
-```bash
-uv run mypy iam_validator/
-```
-## Architecture
-### AWS Service Reference API
-The validator fetches real-time service information from AWS's official service reference API:
-```
-https://servicereference.us-east-1.amazonaws.com/
-```
-This ensures validation is always up-to-date with the latest AWS services and actions.
-### Validation Flow
-1. **Load Policies**: Parse JSON/YAML policy files
-2. **Fetch Service Data**: Get service information from AWS API (with caching)
-3. **Validate Actions**: Check each action against service definitions
-4. **Validate Conditions**: Verify condition keys are valid for actions
-5. **Validate Resources**: Check ARN format and structure
-6. **Security Checks**: Identify security best practice violations
-7. **Generate Report**: Create formatted output in desired format
-8. **GitHub Integration**: Post comments/labels to PR (if enabled)
 ## 📚 Documentation
 **[📖 Complete Documentation →](DOCS.md)**
@@ -949,7 +723,7 @@ Contributions are welcome! We appreciate your help in making this project better
 ### How to Contribute
 1. **Read the [Contributing Guide](CONTRIBUTING.md)** - Comprehensive guide for contributors
-2. **Check [existing issues](https://github.com/boogy/iam-policy-auditor/issues)** - Find something to work on
+2. **Check [existing issues](https://github.com/boogy/iam-policy-validator/issues)** - Find something to work on
 3. **Fork the repository** - Create your own copy
 4. **Make your changes** - Follow our code quality standards
 5. **Submit a Pull Request** - We'll review and merge
@@ -958,17 +732,17 @@ Contributions are welcome! We appreciate your help in making this project better
 ```bash
 # Clone your fork
-git clone https://github.com/YOUR-USERNAME/iam-policy-auditor.git
-cd iam-policy-auditor
+git clone https://github.com/YOUR-USERNAME/iam-policy-validator.git
+cd iam-policy-validator
 # Install dependencies
 uv sync --extra dev
 # Run tests
-make test
+uv run pytest
-# Run quality checks
-make check
+# Run linting
+uv run ruff check .
 ```
 See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed instructions.
@@ -980,5 +754,5 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 ## 🆘 Support
 - **Documentation**: Check the [docs/](docs/) directory
-- **Issues**: Report bugs or request features via [GitHub Issues](https://github.com/boogy/iam-policy-auditor/issues)
-- **Questions**: Ask questions in [GitHub Discussions](https://github.com/boogy/iam-policy-auditor/discussions)
+- **Issues**: Report bugs or request features via [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)
+- **Questions**: Ask questions in [GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)

iam-policy-validator 1.0.3__py3-none-any.whl → 1.1.0__py3-none-any.whl

Potentially problematic release.

iam-policy-validator 1.0.3py3-none-any.whl → 1.1.0py3-none-any.whl