iam-policy-validator 1.14.4__py3-none-any.whl → 1.14.6__py3-none-any.whl

{iam_policy_validator-1.14.4.dist-info → iam_policy_validator-1.14.6.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.4
+Version: 1.14.6
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.14.4.dist-info → iam_policy_validator-1.14.6.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=K_xnaUWCmwON5ETAsNuzottXYU-HSz_ojv0wjnlbS0U,374
+iam_validator/__version__.py,sha256=WpHTF6NviSa8VivWMnhlxgCYH_CGf0PJr8rvIQ0xQuQ,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
@@ -49,12 +49,12 @@ iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
 iam_validator/core/ignore_processor.py,sha256=zgWfS-4BU4c_W6VxUxHIHorMtB5XzB410wZ3bbzVgH8,10686
 iam_validator/core/ignored_findings.py,sha256=b4PySz46so1rGKNt4prg2dkysHPfTJP4wsHYorVn1FA,12756
-iam_validator/core/label_manager.py,sha256=48CRASWg98wyjfVF_1pUzj6dm9itzmG7SeIWf0TSUfc,7502
+iam_validator/core/label_manager.py,sha256=qKQ60shsW8yJELkHgd9rXgzLW9oKErPd4hFTTQkHjbI,8776
 iam_validator/core/models.py,sha256=lXUadIsTpp_j0Vt89Ez7aJkTKs2GD2ty3Ukl2NeY9Zo,15680
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=iid3mGfDzSXASzKDqbLnrqJHBdVQvvebofVqNImsGKM,29201
-iam_validator/core/pr_commenter.py,sha256=F5ql60E-etGYOIDUSacvlhjsx5E-2hgGqhPbXmYfHqE,35021
-iam_validator/core/report.py,sha256=IEHjNe6v_9nvcGA8_FNbXdG0AoV-yHVjiP1KQKnpEys,41376
+iam_validator/core/pr_commenter.py,sha256=IZu2FQqzw73U_8ugTUq197ECLqk9mRCQpTWXPu5qk0k,35490
+iam_validator/core/report.py,sha256=IDjBjSrzrE_JdkA8eTiSxyUL3g36sJMhTkxehEYzuBQ,45476
 iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
 iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
 iam_validator/core/aws_service/client.py,sha256=Zv7rIpEFdUCDXKGp3migPDkj8L5eZltgrGe64M2t2Ko,7336
@@ -85,7 +85,7 @@ iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFV
 iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=03MHSyuZm9FlzaPeWg7wH-UTzzCDhSy6vMPrFpFNkS8,18884
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=OZjVFkeEK0PYerqHFOuc0tFtTMmo78JhbqZgFduzq-8,67949
+iam_validator/integrations/github_integration.py,sha256=0aeQ_RPTZf5ij7dsBjmtIDz4oHl0BXLno9GperFzTbc,69004
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
 iam_validator/sdk/__init__.py,sha256=AZLnfdn3A9AWb0pMhsbu3GAOAzt6rV7Fi3E3d9_3ZdI,6388
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
@@ -99,8 +99,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.14.4.dist-info/METADATA,sha256=YHZ8MSw6dCEyDQmQm5mdbRNcf75MT-zL3n13ipE-zOQ,34456
-iam_policy_validator-1.14.4.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.14.4.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.14.4.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.14.4.dist-info/RECORD,,
+iam_policy_validator-1.14.6.dist-info/METADATA,sha256=pAPaTarqbLi7q_cdHu3bkCVeu9BHed34jIQHgMXlj5I,34456
+iam_policy_validator-1.14.6.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.14.6.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.14.6.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.14.6.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.4"
+__version__ = "1.14.6"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/core/label_manager.py

@@ -6,10 +6,11 @@ When those severities are not found, it removes the labels if present.
 """
 
 import logging
+from collections.abc import Callable
 from typing import TYPE_CHECKING
 
 if TYPE_CHECKING:
-    from iam_validator.core.models import PolicyValidationResult, ValidationReport
+    from iam_validator.core.models import PolicyValidationResult, ValidationIssue, ValidationReport
     from iam_validator.integrations.github_integration import GitHubIntegration
 
 logger = logging.getLogger(__name__)
@@ -48,11 +49,17 @@ class LabelManager:
         """
         return bool(self.severity_labels) and self.github.is_configured()
 
-    def _get_severities_in_results(self, results: list["PolicyValidationResult"]) -> set[str]:
+    def _get_severities_in_results(
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> set[str]:
         """Extract all severity levels found in validation results.
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
 
         Returns:
             Set of severity levels found (e.g., {"error", "critical", "high"})
@@ -60,6 +67,9 @@ class LabelManager:
         severities = set()
         for result in results:
             for issue in result.issues:
+                # Skip ignored issues if a filter is provided
+                if is_issue_ignored and is_issue_ignored(issue, result.policy_file):
+                    continue
                 severities.add(issue.severity)
         return severities
 
@@ -113,17 +123,22 @@ class LabelManager:
         return labels_to_remove
 
     async def manage_labels_from_results(
-        self, results: list["PolicyValidationResult"]
+        self,
+        results: list["PolicyValidationResult"],
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
     ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation results.
 
         This method will:
-        1. Determine which severity levels are present in the results
+        1. Determine which severity levels are present in the results (excluding ignored issues)
         2. Add labels for severities that are found
         3. Remove labels for severities that are not found
 
         Args:
             results: List of PolicyValidationResult objects
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
@@ -132,8 +147,8 @@ class LabelManager:
             logger.debug("Label management not enabled (no severity_labels configured)")
             return (True, 0, 0)
 
-        # Get all severities found in results
-        found_severities = self._get_severities_in_results(results)
+        # Get all severities found in results (excluding ignored issues)
+        found_severities = self._get_severities_in_results(results, is_issue_ignored)
         logger.debug(f"Found severities in results: {found_severities}")
 
         # Determine which labels to apply/remove
@@ -182,7 +197,11 @@ class LabelManager:
 
         return (success, added_count, removed_count)
 
-    async def manage_labels_from_report(self, report: "ValidationReport") -> tuple[bool, int, int]:
+    async def manage_labels_from_report(
+        self,
+        report: "ValidationReport",
+        is_issue_ignored: Callable[["ValidationIssue", str], bool] | None = None,
+    ) -> tuple[bool, int, int]:
         """Manage PR labels based on validation report.
 
         This is a convenience method that extracts results from the report
@@ -190,8 +209,11 @@ class LabelManager:
 
         Args:
             report: ValidationReport object
+            is_issue_ignored: Optional callback to check if an issue is ignored.
+                            Takes (issue, file_path) and returns True if ignored.
+                            Ignored issues are excluded from label determination.
 
         Returns:
             Tuple of (success, labels_added, labels_removed)
         """
-        return await self.manage_labels_from_results(report.results)
+        return await self.manage_labels_from_results(report.results, is_issue_ignored)

iam_validator/core/pr_commenter.py

@@ -196,7 +196,17 @@ class PRCommenter:
         # Manage PR labels based on severity findings
         if manage_labels and self.severity_labels:
             label_manager = LabelManager(self.github, self.severity_labels)
-            label_success, added, removed = await label_manager.manage_labels_from_report(report)
+
+            # Create a filter function that uses relative paths for ignored finding lookup
+            def is_issue_ignored_for_labels(issue: ValidationIssue, file_path: str) -> bool:
+                relative_path = self._make_relative_path(file_path)
+                if not relative_path:
+                    return False
+                return self._is_issue_ignored(issue, relative_path)
+
+            label_success, added, removed = await label_manager.manage_labels_from_report(
+                report, is_issue_ignored=is_issue_ignored_for_labels
+            )
 
             if not label_success:
                 logger.error("Failed to manage PR labels")

iam_validator/core/report.py

@@ -478,13 +478,14 @@ class ReportGenerator:
 
         # Issue breakdown
         if report.total_issues > 0:
-            # Count issues - support both IAM validity and security severities
-            errors = sum(
-                1
-                for r in report.results
-                for i in r.issues
-                if i.severity in constants.HIGH_SEVERITY_LEVELS
+            # Count issues - separate validity errors from security findings
+            validity_errors = sum(
+                1 for r in report.results for i in r.issues if i.severity == "error"
             )
+            critical_findings = sum(
+                1 for r in report.results for i in r.issues if i.severity == "critical"
+            )
+            high_findings = sum(1 for r in report.results for i in r.issues if i.severity == "high")
             warnings = sum(
                 1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")
             )
@@ -496,8 +497,12 @@ class ReportGenerator:
             lines.append("")
             lines.append("| Severity | Count |")
             lines.append("|----------|------:|")
-            if errors > 0:
-                lines.append(f"| 🔴 **Errors** | {errors} |")
+            if validity_errors > 0:
+                lines.append(f"| 🔴 **Errors** | {validity_errors} |")
+            if critical_findings > 0:
+                lines.append(f"| 🟣 **Critical** | {critical_findings} |")
+            if high_findings > 0:
+                lines.append(f"| 🔶 **High** | {high_findings} |")
             if warnings > 0:
                 lines.append(f"| 🟡 **Warnings** | {warnings} |")
             if infos > 0:
@@ -578,15 +583,31 @@ class ReportGenerator:
         )
         lines.append("")
 
-        # Group issues by severity - support both IAM validity and security severities
-        errors = [i for i in result.issues if i.severity in constants.HIGH_SEVERITY_LEVELS]
+        # Group issues by severity - separate validity errors from security findings
+        validity_errors = [i for i in result.issues if i.severity == "error"]
+        critical_findings = [i for i in result.issues if i.severity == "critical"]
+        high_findings = [i for i in result.issues if i.severity == "high"]
         warnings = [i for i in result.issues if i.severity in constants.MEDIUM_SEVERITY_LEVELS]
         infos = [i for i in result.issues if i.severity in constants.LOW_SEVERITY_LEVELS]
 
-        if errors:
+        if validity_errors:
             lines.append("### 🔴 Errors")
             lines.append("")
-            for issue in errors:
+            for issue in validity_errors:
+                lines.append(self._format_issue_markdown(issue, result.policy_file))
+            lines.append("")
+
+        if critical_findings:
+            lines.append("### 🟣 Critical")
+            lines.append("")
+            for issue in critical_findings:
+                lines.append(self._format_issue_markdown(issue, result.policy_file))
+            lines.append("")
+
+        if high_findings:
+            lines.append("### 🔶 High")
+            lines.append("")
+            for issue in high_findings:
                 lines.append(self._format_issue_markdown(issue, result.policy_file))
             lines.append("")
 
@@ -693,13 +714,14 @@ class ReportGenerator:
 
         # Issue breakdown
         if report.total_issues > 0:
-            # Count issues - support both IAM validity and security severities
-            errors = sum(
-                1
-                for r in report.results
-                for i in r.issues
-                if i.severity in constants.HIGH_SEVERITY_LEVELS
+            # Count issues - separate validity errors from security findings
+            validity_errors = sum(
+                1 for r in report.results for i in r.issues if i.severity == "error"
             )
+            critical_findings = sum(
+                1 for r in report.results for i in r.issues if i.severity == "critical"
+            )
+            high_findings = sum(1 for r in report.results for i in r.issues if i.severity == "high")
             warnings = sum(
                 1 for r in report.results for i in r.issues if i.severity in ("warning", "medium")
             )
@@ -711,8 +733,12 @@ class ReportGenerator:
             lines.append("")
             lines.append("| Severity | Count |")
             lines.append("|----------|------:|")
-            if errors > 0:
-                lines.append(f"| 🔴 **Errors** | {errors} |")
+            if validity_errors > 0:
+                lines.append(f"| 🔴 **Errors** | {validity_errors} |")
+            if critical_findings > 0:
+                lines.append(f"| 🟣 **Critical** | {critical_findings} |")
+            if high_findings > 0:
+                lines.append(f"| 🔶 **High** | {high_findings} |")
             if warnings > 0:
                 lines.append(f"| 🟡 **Warnings** | {warnings} |")
             if infos > 0:
@@ -789,15 +815,21 @@ class ReportGenerator:
 
                 policy_lines = []
 
-                # Group issues by severity - support both IAM validity and security severities
-                errors = [i for i in result.issues if i.severity in constants.HIGH_SEVERITY_LEVELS]
+                # Group issues by severity - separate validity errors from security findings
+                validity_errors = [i for i in result.issues if i.severity == "error"]
+                critical_findings = [i for i in result.issues if i.severity == "critical"]
+                high_findings = [i for i in result.issues if i.severity == "high"]
                 warnings = [i for i in result.issues if i.severity in ("warning", "medium")]
                 infos = [i for i in result.issues if i.severity in ("info", "low")]
 
                 # Build severity summary for header
                 severity_parts = []
-                if errors:
-                    severity_parts.append(f"🔴 {len(errors)}")
+                if validity_errors:
+                    severity_parts.append(f"🔴 {len(validity_errors)}")
+                if critical_findings:
+                    severity_parts.append(f"🟣 {len(critical_findings)}")
+                if high_findings:
+                    severity_parts.append(f"🔶 {len(high_findings)}")
                 if warnings:
                     severity_parts.append(f"🟡 {len(warnings)}")
                 if infos:
@@ -812,11 +844,57 @@ class ReportGenerator:
                 )
                 policy_lines.append("")
 
-                # Add errors (prioritized)
-                if errors:
+                # Add validity errors (prioritized)
+                if validity_errors:
                     policy_lines.append("### 🔴 Errors")
                     policy_lines.append("")
-                    for i, issue in enumerate(errors):
+                    for i, issue in enumerate(validity_errors):
+                        issue_content = self._format_issue_markdown(issue, result.policy_file)
+                        test_length = len("\n".join(details_lines + policy_lines)) + len(
+                            issue_content
+                        )
+                        if test_length > available_length:
+                            truncated = True
+                            break
+                        policy_lines.append(issue_content)
+                        issues_shown += 1
+                        # Add separator between issues within same severity
+                        if i < len(validity_errors) - 1:
+                            policy_lines.append("---")
+                            policy_lines.append("")
+                    policy_lines.append("")
+
+                if truncated:
+                    break
+
+                # Add critical security findings
+                if critical_findings:
+                    policy_lines.append("### 🟣 Critical")
+                    policy_lines.append("")
+                    for i, issue in enumerate(critical_findings):
+                        issue_content = self._format_issue_markdown(issue, result.policy_file)
+                        test_length = len("\n".join(details_lines + policy_lines)) + len(
+                            issue_content
+                        )
+                        if test_length > available_length:
+                            truncated = True
+                            break
+                        policy_lines.append(issue_content)
+                        issues_shown += 1
+                        # Add separator between issues within same severity
+                        if i < len(critical_findings) - 1:
+                            policy_lines.append("---")
+                            policy_lines.append("")
+                    policy_lines.append("")
+
+                if truncated:
+                    break
+
+                # Add high security findings
+                if high_findings:
+                    policy_lines.append("### 🔶 High")
+                    policy_lines.append("")
+                    for i, issue in enumerate(high_findings):
                         issue_content = self._format_issue_markdown(issue, result.policy_file)
                         test_length = len("\n".join(details_lines + policy_lines)) + len(
                             issue_content
@@ -827,7 +905,7 @@ class ReportGenerator:
                         policy_lines.append(issue_content)
                         issues_shown += 1
                         # Add separator between issues within same severity
-                        if i < len(errors) - 1:
+                        if i < len(high_findings) - 1:
                             policy_lines.append("---")
                             policy_lines.append("")
                     policy_lines.append("")

iam_validator/integrations/github_integration.py

@@ -1265,6 +1265,26 @@ class GitHubIntegration:
             f"{created_count} created, {deleted_count} deleted (resolved)"
         )
 
+        # Step 4: If no new comments were created but we need to submit APPROVE/REQUEST_CHANGES,
+        # submit a review without inline comments to update the PR review state.
+        # This is important when all issues are ignored/resolved - we need to dismiss
+        # the previous REQUEST_CHANGES review by submitting an APPROVE review.
+        if not new_comments_for_review and event in (
+            ReviewEvent.APPROVE,
+            ReviewEvent.REQUEST_CHANGES,
+        ):
+            # Only submit if there's a meaningful state change to make
+            # (submitting APPROVE when all issues are resolved/ignored)
+            logger.info(f"Submitting {event.value} review (no inline comments)")
+            success = await self.create_review_with_comments(
+                comments=[],
+                body=body,
+                event=event,
+            )
+            if not success:
+                logger.warning(f"Failed to submit {event.value} review")
+                # Don't fail the whole operation - comments were managed successfully
+
         return True
 
     def _extract_finding_id(self, body: str) -> str | None: