iam-policy-validator 1.14.4__py3-none-any.whl → 1.14.5__py3-none-any.whl

{iam_policy_validator-1.14.4.dist-info → iam_policy_validator-1.14.5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.4
+Version: 1.14.5
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.4.dist-info → iam_policy_validator-1.14.5.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=K_xnaUWCmwON5ETAsNuzottXYU-HSz_ojv0wjnlbS0U,374
+iam_validator/__version__.py,sha256=8ouM89pP7JLVFY6dwrTsOuZeWcu_xuQ3YwT7-1g9xn8,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
@@ -49,11 +49,11 @@ iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
 iam_validator/core/ignore_processor.py,sha256=zgWfS-4BU4c_W6VxUxHIHorMtB5XzB410wZ3bbzVgH8,10686
 iam_validator/core/ignored_findings.py,sha256=b4PySz46so1rGKNt4prg2dkysHPfTJP4wsHYorVn1FA,12756
-iam_validator/core/label_manager.py,sha256=48CRASWg98wyjfVF_1pUzj6dm9itzmG7SeIWf0TSUfc,7502
+iam_validator/core/label_manager.py,sha256=qKQ60shsW8yJELkHgd9rXgzLW9oKErPd4hFTTQkHjbI,8776
 iam_validator/core/models.py,sha256=lXUadIsTpp_j0Vt89Ez7aJkTKs2GD2ty3Ukl2NeY9Zo,15680
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=iid3mGfDzSXASzKDqbLnrqJHBdVQvvebofVqNImsGKM,29201
-iam_validator/core/pr_commenter.py,sha256=F5ql60E-etGYOIDUSacvlhjsx5E-2hgGqhPbXmYfHqE,35021
+iam_validator/core/pr_commenter.py,sha256=IZu2FQqzw73U_8ugTUq197ECLqk9mRCQpTWXPu5qk0k,35490
 iam_validator/core/report.py,sha256=IEHjNe6v_9nvcGA8_FNbXdG0AoV-yHVjiP1KQKnpEys,41376
 iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
 iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
@@ -85,7 +85,7 @@ iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFV
 iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=03MHSyuZm9FlzaPeWg7wH-UTzzCDhSy6vMPrFpFNkS8,18884
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=OZjVFkeEK0PYerqHFOuc0tFtTMmo78JhbqZgFduzq-8,67949
+iam_validator/integrations/github_integration.py,sha256=IKhJW_v_lGZiuyPN_xWULzv2YBbaXHn8zBfaOdUm28g,69054
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
 iam_validator/sdk/__init__.py,sha256=AZLnfdn3A9AWb0pMhsbu3GAOAzt6rV7Fi3E3d9_3ZdI,6388
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
@@ -99,8 +99,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.14.4.dist-info/METADATA,sha256=YHZ8MSw6dCEyDQmQm5mdbRNcf75MT-zL3n13ipE-zOQ,34456
-iam_policy_validator-1.14.4.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.14.4.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.14.4.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.14.4.dist-info/RECORD,,
+iam_policy_validator-1.14.5.dist-info/METADATA,sha256=h6M6__GqJW5fWPtV0cEDqZ4sK259K5ulz68Jgt6COQE,34456
+iam_policy_validator-1.14.5.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.14.5.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.14.5.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.14.5.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.4"
+__version__ = "1.14.5"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/core/label_manager.py

@@ -6,10 +6,11 @@ When those severities are not found, it removes the labels if present.
 """
 
 import logging
+from collections.abc import Callable
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from iam_validator.core.models import PolicyValidationResult, ValidationReport
+    from iam_validator.core.models import PolicyValidationResult, ValidationIssue, ValidationReport
     from iam_validator.integrations.github_integration import GitHubIntegration
 
 logger = logging.getLogger(__name__)
@@ -48,11 +49,17 @@ class LabelManager:
         """
         return bool(self.severity_labels) and self.github.is_configured()
 
-    def _get_severities_in_results(self, results: list["PolicyValidationResult"]) -> set[str]:
+    def _get_severities_in_results(
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> set[str]:
         """Extract all severity levels found in validation results.
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
 
         Returns:
             Set of severity levels found (e.g., {"error", "critical", "high"})
@@ -60,6 +67,9 @@ class LabelManager:
         severities = set()
         for result in results:
             for issue in result.issues:
+                # Skip ignored issues if a filter is provided
+                if is_issue_ignored and is_issue_ignored(issue, result.policy_file):
+                    continue
                 severities.add(issue.severity)
         return severities
 
@@ -113,17 +123,22 @@ class LabelManager:
         return labels_to_remove
 
     async def manage_labels_from_results(
-        self, results: list["PolicyValidationResult"]
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
     ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation results.
 
         This method will:
-        1. Determine which severity levels are present in the results
+        1. Determine which severity levels are present in the results (excluding ignored issues)
         2. Add labels for severities that are found
         3. Remove labels for severities that are not found
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
@@ -132,8 +147,8 @@ class LabelManager:
             logger.debug("Label management not enabled (no severity_labels configured)")
             return (True, 0, 0)
 
-        # Get all severities found in results
-        found_severities = self._get_severities_in_results(results)
+        # Get all severities found in results (excluding ignored issues)
+        found_severities = self._get_severities_in_results(results, is_issue_ignored)
         logger.debug(f"Found severities in results: {found_severities}")
 
         # Determine which labels to apply/remove
@@ -182,7 +197,11 @@ class LabelManager:
 
         return (success, added_count, removed_count)
 
-    async def manage_labels_from_report(self, report: "ValidationReport") -> tuple[bool, int, int]:
+    async def manage_labels_from_report(
+        self,
+        report: "ValidationReport",
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation report.
 
         This is a convenience method that extracts results from the report
@@ -190,8 +209,11 @@ class LabelManager:
 
         Args:
             report: ValidationReport object
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
         """
-        return await self.manage_labels_from_results(report.results)
+        return await self.manage_labels_from_results(report.results, is_issue_ignored)

iam_validator/core/pr_commenter.py

@@ -196,7 +196,17 @@ class PRCommenter:
         # Manage PR labels based on severity findings
         if manage_labels and self.severity_labels:
             label_manager = LabelManager(self.github, self.severity_labels)
-            label_success, added, removed = await label_manager.manage_labels_from_report(report)
+
+            # Create a filter function that uses relative paths for ignored finding lookup
+            def is_issue_ignored_for_labels(issue: ValidationIssue, file_path: str) -> bool:
+                relative_path = self._make_relative_path(file_path)
+                if not relative_path:
+                    return False
+                return self._is_issue_ignored(issue, relative_path)
+
+            label_success, added, removed = await label_manager.manage_labels_from_report(
+                report, is_issue_ignored=is_issue_ignored_for_labels
+            )
 
             if not label_success:
                 logger.error("Failed to manage PR labels")

iam_validator/integrations/github_integration.py

@@ -1265,6 +1265,26 @@ class GitHubIntegration:
             f"{created_count} created, {deleted_count} deleted (resolved)"
         )
 
+        # Step 4: If no new comments were created but we need to submit APPROVE/REQUEST_CHANGES,
+        # submit a review without inline comments to update the PR review state.
+        # This is important when all issues are ignored/resolved - we need to dismiss
+        # the previous REQUEST_CHANGES review by submitting an APPROVE review.
+        if not new_comments_for_review and event in (
+            ReviewEvent.APPROVE,
+            ReviewEvent.REQUEST_CHANGES,
+        ):
+            # Only submit if there's a meaningful state change to make
+            # (submitting APPROVE when all issues are resolved/ignored)
+            logger.info(f"Submitting {event.value} review (no inline comments)")
+            success = await self.create_review_with_comments(
+                comments=[],
+                body=body or f"<!-- {identifier} -->\nValidation complete.",
+                event=event,
+            )
+            if not success:
+                logger.warning(f"Failed to submit {event.value} review")
+                # Don't fail the whole operation - comments were managed successfully
+
         return True
 
     def _extract_finding_id(self, body: str) -> str | None: