iam-policy-validator 1.3.1__py3-none-any.whl → 1.5.0__py3-none-any.whl

iam_validator/commands/download_services.py

@@ -9,20 +9,15 @@ from pathlib import Path
 
 import httpx
 from rich.console import Console
-from rich.progress import (
-    BarColumn,
-    Progress,
-    TaskID,
-    TextColumn,
-    TimeRemainingColumn,
-)
+from rich.progress import BarColumn, Progress, TaskID, TextColumn, TimeRemainingColumn
 
 from iam_validator.commands.base import Command
+from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 
 logger = logging.getLogger(__name__)
 console = Console()
 
-BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+BASE_URL = AWS_SERVICE_REFERENCE_BASE_URL
 DEFAULT_OUTPUT_DIR = Path("aws_services")
 
 

iam_validator/commands/post_to_pr.py

@@ -68,12 +68,19 @@ Examples:
             help="Don't add summary comment",
         )
 
+        parser.add_argument(
+            "--config",
+            "-c",
+            help="Path to configuration file (for fail_on_severity setting)",
+        )
+
     async def execute(self, args: argparse.Namespace) -> int:
         """Execute the post-to-pr command."""
         success = await post_report_to_pr(
             args.report,
             create_review=args.create_review,
             add_summary=args.add_summary,
+            config_path=getattr(args, "config", None),
         )
 
         return 0 if success else 1

iam_validator/commands/validate.py

@@ -3,8 +3,10 @@
 import argparse
 import logging
 import os
+from typing import cast
 
 from iam_validator.commands.base import Command
+from iam_validator.core.models import PolicyType, ValidationReport
 from iam_validator.core.policy_checks import validate_policies
 from iam_validator.core.policy_loader import PolicyLoader
 from iam_validator.core.report import ReportGenerator
@@ -41,8 +43,20 @@ Examples:
   # Generate JSON output
   iam-validator validate --path ./policies/ --format json --output report.json
 
-  # Post to GitHub PR with line comments
-  iam-validator validate --path ./policies/ --github-comment --github-review
+  # Validate resource policies (S3 bucket policies, SNS topics, etc.)
+  iam-validator validate --path ./bucket-policies/ --policy-type RESOURCE_POLICY
+
+  # GitHub integration - all options (PR comment + review comments + job summary)
+  iam-validator validate --path ./policies/ --github-comment --github-review --github-summary
+
+  # Only line-specific review comments (clean, minimal)
+  iam-validator validate --path ./policies/ --github-review
+
+  # Only PR summary comment
+  iam-validator validate --path ./policies/ --github-comment
+
+  # Only GitHub Actions job summary
+  iam-validator validate --path ./policies/ --github-summary
         """
 
     def add_arguments(self, parser: argparse.ArgumentParser) -> None:
@@ -82,16 +96,37 @@ Examples:
             help="Fail validation if warnings are found (default: only fail on errors)",
         )
 
+        parser.add_argument(
+            "--policy-type",
+            "-t",
+            choices=[
+                "IDENTITY_POLICY",
+                "RESOURCE_POLICY",
+                "SERVICE_CONTROL_POLICY",
+                "RESOURCE_CONTROL_POLICY",
+            ],
+            default="IDENTITY_POLICY",
+            help="Type of IAM policy being validated (default: IDENTITY_POLICY). "
+            "Enables policy-type-specific validation (e.g., requiring Principal for resource policies, "
+            "strict RCP requirements for resource control policies)",
+        )
+
         parser.add_argument(
             "--github-comment",
             action="store_true",
-            help="Post validation results as GitHub PR comment",
+            help="Post summary comment to PR conversation",
         )
 
         parser.add_argument(
             "--github-review",
             action="store_true",
-            help="Create line-specific review comments on PR (requires --github-comment)",
+            help="Create line-specific review comments on PR files",
+        )
+
+        parser.add_argument(
+            "--github-summary",
+            action="store_true",
+            help="Write summary to GitHub Actions job summary (visible in Actions tab)",
         )
 
         parser.add_argument(
@@ -131,6 +166,18 @@ Examples:
             help="Number of policies to process per batch (default: 10, only with --stream)",
         )
 
+        parser.add_argument(
+            "--no-summary",
+            action="store_true",
+            help="Hide Executive Summary section in enhanced format output",
+        )
+
+        parser.add_argument(
+            "--no-severity-breakdown",
+            action="store_true",
+            help="Hide Issue Severity Breakdown section in enhanced format output",
+        )
+
     async def execute(self, args: argparse.Namespace) -> int:
         """Execute the validate command."""
         # Check if streaming mode is enabled
@@ -165,11 +212,13 @@ Examples:
         use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
+        policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
         results = await validate_policies(
             policies,
             config_path=config_path,
             use_registry=use_registry,
             custom_checks_dir=custom_checks_dir,
+            policy_type=policy_type,
         )
 
         # Generate report
@@ -192,7 +241,14 @@ Examples:
                 print(generator.generate_github_comment(report))
         else:
             # Use formatter registry for other formats (enhanced, html, csv, sarif)
-            output_content = generator.format_report(report, args.format)
+            # Pass options for enhanced format
+            format_options = {}
+            if args.format == "enhanced":
+                format_options["show_summary"] = not getattr(args, "no_summary", False)
+                format_options["show_severity_breakdown"] = not getattr(
+                    args, "no_severity_breakdown", False
+                )
+            output_content = generator.format_report(report, args.format, **format_options)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:
                     f.write(output_content)
@@ -201,19 +257,28 @@ Examples:
                 print(output_content)
 
         # Post to GitHub if configured
-        if args.github_comment:
+        if args.github_comment or getattr(args, "github_review", False):
+            from iam_validator.core.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
+            # Load config to get fail_on_severity setting
+            config = ConfigLoader.load_config(config_path)
+            fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+
             async with GitHubIntegration() as github:
-                commenter = PRCommenter(github)
+                commenter = PRCommenter(github, fail_on_severities=fail_on_severities)
                 success = await commenter.post_findings_to_pr(
                     report,
-                    create_review=getattr(args, "github_review", True),
-                    add_summary_comment=True,
+                    create_review=getattr(args, "github_review", False),
+                    add_summary_comment=args.github_comment,
                 )
                 if not success:
                     logging.error("Failed to post to GitHub PR")
 
+        # Write to GitHub Actions job summary if configured
+        if getattr(args, "github_summary", False):
+            self._write_github_actions_summary(report)
+
         # Return exit code based on validation results
         if args.fail_on_warnings:
             return 0 if report.total_issues == 0 else 1
@@ -234,12 +299,13 @@ Examples:
         use_registry = not getattr(args, "no_registry", False)
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
+        policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
 
         all_results = []
         total_processed = 0
 
         # Clean up old review comments at the start (before posting any new ones)
-        if args.github_comment and getattr(args, "github_review", False):
+        if getattr(args, "github_review", False):
             await self._cleanup_old_comments()
 
         logging.info(f"Starting streaming validation from {len(args.paths)} path(s)")
@@ -257,6 +323,7 @@ Examples:
                 config_path=config_path,
                 use_registry=use_registry,
                 custom_checks_dir=custom_checks_dir,
+                policy_type=policy_type,
             )
 
             if results:
@@ -272,7 +339,7 @@ Examples:
                         # Note: validation_success tracks overall status
 
                 # Post to GitHub immediately for this file (progressive PR comments)
-                if args.github_comment and getattr(args, "github_review", False):
+                if getattr(args, "github_review", False):
                     await self._post_file_review(result, args)
 
         if total_processed == 0:
@@ -300,7 +367,14 @@ Examples:
                 print(generator.generate_github_comment(report))
         else:
             # Use formatter registry for other formats (enhanced, html, csv, sarif)
-            output_content = generator.format_report(report, args.format)
+            # Pass options for enhanced format
+            format_options = {}
+            if args.format == "enhanced":
+                format_options["show_summary"] = not getattr(args, "no_summary", False)
+                format_options["show_severity_breakdown"] = not getattr(
+                    args, "no_severity_breakdown", False
+                )
+            output_content = generator.format_report(report, args.format, **format_options)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:
                     f.write(output_content)
@@ -308,20 +382,29 @@ Examples:
             else:
                 print(output_content)
 
-        # Post summary comment to GitHub
+        # Post summary comment to GitHub (if requested and not already posted per-file reviews)
         if args.github_comment:
+            from iam_validator.core.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
+            # Load config to get fail_on_severity setting
+            config = ConfigLoader.load_config(config_path)
+            fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+
             async with GitHubIntegration() as github:
-                commenter = PRCommenter(github)
+                commenter = PRCommenter(github, fail_on_severities=fail_on_severities)
                 success = await commenter.post_findings_to_pr(
                     report,
-                    create_review=False,  # Already posted per-file reviews
+                    create_review=False,  # Already posted per-file reviews in streaming mode
                     add_summary_comment=True,
                 )
                 if not success:
                     logging.error("Failed to post summary to GitHub PR")
 
+        # Write to GitHub Actions job summary if configured
+        if getattr(args, "github_summary", False):
+            self._write_github_actions_summary(report)
+
         # Return exit code based on validation results
         if args.fail_on_warnings:
             return 0 if report.total_issues == 0 else 1
@@ -353,15 +436,23 @@ Examples:
         This provides progressive feedback in PRs as files are processed.
         """
         try:
+            from iam_validator.core.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
             async with GitHubIntegration() as github:
                 if not github.is_configured():
                     return
 
+                # Load config to get fail_on_severity setting
+                config_path = getattr(args, "config", None)
+                config = ConfigLoader.load_config(config_path)
+                fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+
                 # In streaming mode, don't cleanup comments (we want to keep earlier files)
                 # Cleanup will happen once at the end
-                commenter = PRCommenter(github, cleanup_old_comments=False)
+                commenter = PRCommenter(
+                    github, cleanup_old_comments=False, fail_on_severities=fail_on_severities
+                )
 
                 # Create a mini-report for just this file
                 generator = ReportGenerator()
@@ -375,3 +466,100 @@ Examples:
                 )
         except Exception as e:
             logging.warning(f"Failed to post review for {result.policy_file}: {e}")
+
+    def _write_github_actions_summary(self, report: ValidationReport) -> None:
+        """Write a high-level summary to GitHub Actions job summary.
+
+        This appears in the Actions tab and provides a quick overview without all details.
+        Uses GITHUB_STEP_SUMMARY environment variable.
+
+        Args:
+            report: Validation report to summarize
+        """
+        summary_file = os.getenv("GITHUB_STEP_SUMMARY")
+        if not summary_file:
+            logging.warning(
+                "--github-summary specified but GITHUB_STEP_SUMMARY env var not found. "
+                "This feature only works in GitHub Actions."
+            )
+            return
+
+        try:
+            # Generate high-level summary (no detailed issue list)
+            summary_parts = []
+
+            # Header with status
+            if report.total_issues == 0:
+                summary_parts.append("# ✅ IAM Policy Validation - Passed")
+            elif report.invalid_policies > 0:
+                summary_parts.append("# ❌ IAM Policy Validation - Failed")
+            else:
+                summary_parts.append("# ⚠️ IAM Policy Validation - Security Issues Found")
+
+            summary_parts.append("")
+
+            # Summary table
+            summary_parts.append("## Summary")
+            summary_parts.append("")
+            summary_parts.append("| Metric | Count |")
+            summary_parts.append("|--------|-------|")
+            summary_parts.append(f"| Total Policies | {report.total_policies} |")
+            summary_parts.append(f"| Valid Policies | {report.valid_policies} |")
+            summary_parts.append(f"| Invalid Policies | {report.invalid_policies} |")
+            summary_parts.append(
+                f"| Policies with Security Issues | {report.policies_with_security_issues} |"
+            )
+            summary_parts.append(f"| **Total Issues** | **{report.total_issues}** |")
+
+            # Issue breakdown by severity if there are issues
+            if report.total_issues > 0:
+                summary_parts.append("")
+                summary_parts.append("## Issues by Severity")
+                summary_parts.append("")
+
+                # Count issues by severity
+                severity_counts: dict[str, int] = {}
+                for result in report.results:
+                    for issue in result.issues:
+                        severity_counts[issue.severity] = severity_counts.get(issue.severity, 0) + 1
+
+                # Sort by severity rank (highest first)
+                from iam_validator.core.models import ValidationIssue
+
+                sorted_severities = sorted(
+                    severity_counts.items(),
+                    key=lambda x: ValidationIssue.SEVERITY_RANK.get(x[0], 0),
+                    reverse=True,
+                )
+
+                summary_parts.append("| Severity | Count |")
+                summary_parts.append("|----------|-------|")
+                for severity, count in sorted_severities:
+                    emoji = {
+                        "error": "❌",
+                        "critical": "🔴",
+                        "high": "🟠",
+                        "warning": "⚠️",
+                        "medium": "🟡",
+                        "low": "🔵",
+                        "info": "ℹ️",
+                    }.get(severity, "•")
+                    summary_parts.append(f"| {emoji} {severity.upper()} | {count} |")
+
+            # Add footer with links
+            summary_parts.append("")
+            summary_parts.append("---")
+            summary_parts.append("")
+            summary_parts.append(
+                "📝 For detailed findings, check the PR comments or review the workflow logs."
+            )
+
+            # Write to summary file (append mode)
+            with open(summary_file, "a", encoding="utf-8") as f:
+                f.write("\n".join(summary_parts))
+                f.write("\n")
+
+            logging.info("Wrote summary to GitHub Actions job summary")
+
+        except Exception as e:
+            logging.warning(f"Failed to write GitHub Actions summary: {e}")

iam_validator/core/aws_fetcher.py

@@ -33,6 +33,7 @@ from typing import Any
 
 import httpx
 
+from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 from iam_validator.core.models import ServiceDetail, ServiceInfo
 
 logger = logging.getLogger(__name__)
@@ -121,7 +122,7 @@ class CompiledPatterns:
 class AWSServiceFetcher:
     """Fetches AWS service information from the AWS service reference API with enhanced performance features."""
 
-    BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+    BASE_URL = AWS_SERVICE_REFERENCE_BASE_URL
 
     # Common AWS services to pre-fetch
     # All other services will be fetched on-demand (lazy loading if found in policies)
@@ -797,8 +798,15 @@ class AWSServiceFetcher:
 
     async def validate_condition_key(
         self, action: str, condition_key: str
-    ) -> tuple[bool, str | None]:
-        """Validate condition key with optimized caching."""
+    ) -> tuple[bool, str | None, str | None]:
+        """Validate condition key with optimized caching.
+
+        Returns:
+            Tuple of (is_valid, error_message, warning_message)
+            - is_valid: True if key is valid (even with warning)
+            - error_message: Error message if invalid (is_valid=False)
+            - warning_message: Warning message if valid but not recommended
+        """
         try:
             from iam_validator.core.aws_global_conditions import get_global_conditions
 
@@ -814,6 +822,7 @@ class AWSServiceFetcher:
                     return (
                         False,
                         f"Invalid AWS global condition key: '{condition_key}'.",
+                        None,
                     )
 
             # Fetch service detail (cached)
@@ -821,7 +830,7 @@ class AWSServiceFetcher:
 
             # Check service-specific condition keys
             if condition_key in service_detail.condition_keys:
-                return True, None
+                return True, None, None
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -830,29 +839,33 @@ class AWSServiceFetcher:
                     action_detail.action_condition_keys
                     and condition_key in action_detail.action_condition_keys
                 ):
-                    return True, None
+                    return True, None, None
 
                 # If it's a global key but the action has specific condition keys defined,
-                # check if the global key is explicitly listed in the action's supported keys
+                # AWS allows it but the key may not be available in every request context
                 if is_global_key and action_detail.action_condition_keys is not None:
-                    return (
-                        False,
-                        f"Condition key '{condition_key}' is not supported by action '{action}'. "
-                        f"This action has a specific set of supported condition keys.",
+                    warning_msg = (
+                        f"Global condition key '{condition_key}' is used with action '{action}'. "
+                        f"While global condition keys can be used across all AWS services, "
+                        f"the key may not be available in every request context. "
+                        f"Verify that '{condition_key}' is available for this specific action's request context. "
+                        f"Consider using '*IfExists' operators (e.g., StringEqualsIfExists) if the key might be missing."
                     )
+                    return True, None, warning_msg
 
             # If it's a global key and action doesn't define specific keys, allow it
             if is_global_key:
-                return True, None
+                return True, None, None
 
             return (
                 False,
                 f"Condition key '{condition_key}' is not valid for action '{action}'",
+                None,
             )
 
         except Exception as e:
             logger.error(f"Error validating condition key {condition_key} for {action}: {e}")
-            return False, f"Failed to validate condition key: {str(e)}"
+            return False, f"Failed to validate condition key: {str(e)}", None
 
     async def clear_caches(self) -> None:
         """Clear all caches (memory and disk)."""

iam_validator/core/check_registry.py

@@ -98,6 +98,7 @@ class PolicyCheck(ABC):
         policy_file: str,
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
+        **kwargs,
     ) -> list[ValidationIssue]:
         """
         Execute the check on the entire policy (optional method).
@@ -113,6 +114,7 @@ class PolicyCheck(ABC):
             policy_file: Path to the policy file (for context/reporting)
             fetcher: AWS service fetcher for validation against AWS APIs
             config: Configuration for this check instance
+            **kwargs: Additional context (policy_type, etc.)
 
         Returns:
             List of ValidationIssue objects found by this check
@@ -353,6 +355,7 @@ class CheckRegistry:
         policy: "IAMPolicy",
         policy_file: str,
         fetcher: AWSServiceFetcher,
+        policy_type: str = "IDENTITY_POLICY",
     ) -> list[ValidationIssue]:
         """
         Execute all enabled policy-level checks.
@@ -364,6 +367,7 @@ class CheckRegistry:
             policy: The complete IAM policy to validate
             policy_file: Path to the policy file (for context/reporting)
             fetcher: AWS service fetcher for API calls
+            policy_type: Type of policy (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY)
 
         Returns:
             List of all ValidationIssue objects from all policy-level checks
@@ -383,7 +387,9 @@ class CheckRegistry:
                 config = self.get_config(check.check_id)
                 if config:
                     try:
-                        issues = await check.execute_policy(policy, policy_file, fetcher, config)
+                        issues = await check.execute_policy(
+                            policy, policy_file, fetcher, config, policy_type=policy_type
+                        )
                         all_issues.extend(issues)
                     except Exception as e:
                         print(f"Warning: Check '{check.check_id}' failed: {e}")
@@ -394,7 +400,9 @@ class CheckRegistry:
         for check in policy_level_checks:
             config = self.get_config(check.check_id)
             if config:
-                task = check.execute_policy(policy, policy_file, fetcher, config)
+                task = check.execute_policy(
+                    policy, policy_file, fetcher, config, policy_type=policy_type
+                )
                 tasks.append(task)
 
         # Wait for all checks to complete
@@ -432,25 +440,21 @@ def create_default_registry(
 
     if include_builtin_checks:
         # Import and register built-in checks
-        from iam_validator.checks import (
-            ActionConditionEnforcementCheck,
-            ActionResourceConstraintCheck,
-            ActionValidationCheck,
-            ConditionKeyValidationCheck,
-            PolicySizeCheck,
-            ResourceValidationCheck,
-            SecurityBestPracticesCheck,
-            SidUniquenessCheck,
-        )
-
-        registry.register(ActionValidationCheck())
-        registry.register(ConditionKeyValidationCheck())
-        registry.register(ResourceValidationCheck())
-        registry.register(SecurityBestPracticesCheck())
-        registry.register(ActionConditionEnforcementCheck())
-        registry.register(ActionResourceConstraintCheck())
-        registry.register(SidUniquenessCheck())
-        registry.register(PolicySizeCheck())
+        from iam_validator import checks
+
+        registry.register(checks.ActionValidationCheck())
+        registry.register(checks.ConditionKeyValidationCheck())
+        registry.register(checks.ResourceValidationCheck())
+        registry.register(checks.WildcardActionCheck())
+        registry.register(checks.WildcardResourceCheck())
+        registry.register(checks.FullWildcardCheck())
+        registry.register(checks.ServiceWildcardCheck())
+        registry.register(checks.SensitiveActionCheck())
+        registry.register(checks.ActionConditionEnforcementCheck())
+        registry.register(checks.ActionResourceConstraintCheck())
+        registry.register(checks.SidUniquenessCheck())
+        registry.register(checks.PolicySizeCheck())
+        registry.register(checks.PrincipalValidationCheck())
 
         # Note: SID uniqueness check is registered above but its actual execution
         # happens at the policy level in _validate_policy_with_registry() since it

iam_validator/core/config/__init__.py

@@ -0,0 +1,83 @@
+"""
+Core configuration modules for IAM Policy Validator.
+
+This package contains default configuration data used by validators, organized into
+logical modules for better maintainability and performance.
+
+All configuration is defined as Python code (not YAML/JSON) for:
+- Faster loading (no parsing overhead)
+- Better PyPI packaging (no data files to manage)
+- Type hints and IDE support
+- Compiled to .pyc for even faster imports
+
+Performance benefits:
+- 5-10x faster than YAML parsing
+- Zero runtime parsing overhead
+- Lazy loading support
+- O(1) frozenset lookups
+"""
+
+from iam_validator.core.config.aws_api import (
+    AWS_SERVICE_REFERENCE_BASE_URL,
+    get_service_reference_url,
+)
+from iam_validator.core.config.condition_requirements import (
+    ALL_CONDITION_REQUIREMENTS,
+    DEFAULT_CONDITION_REQUIREMENTS,
+    get_all_requirement_names,
+    get_default_requirements,
+    get_requirement,
+    get_requirements_by_names,
+    get_requirements_by_severity,
+)
+from iam_validator.core.config.defaults import DEFAULT_CONFIG
+from iam_validator.core.config.principal_requirements import (
+    ALL_PRINCIPAL_REQUIREMENTS,
+    DEFAULT_ENABLED_REQUIREMENTS,
+    get_all_principal_requirement_names,
+    get_default_principal_requirements,
+    get_principal_requirement,
+    get_principal_requirements_by_names,
+    get_principal_requirements_by_severity,
+)
+from iam_validator.core.config.sensitive_actions import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    get_sensitive_actions,
+)
+from iam_validator.core.config.service_principals import DEFAULT_SERVICE_PRINCIPALS
+from iam_validator.core.config.wildcards import (
+    DEFAULT_ALLOWED_WILDCARDS,
+    DEFAULT_SERVICE_WILDCARDS,
+)
+
+__all__ = [
+    # Default configuration
+    "DEFAULT_CONFIG",
+    # AWS API endpoints
+    "AWS_SERVICE_REFERENCE_BASE_URL",
+    "get_service_reference_url",
+    # Sensitive actions
+    "DEFAULT_SENSITIVE_ACTIONS",
+    "get_sensitive_actions",
+    # Condition requirements (for actions)
+    "DEFAULT_CONDITION_REQUIREMENTS",
+    "ALL_CONDITION_REQUIREMENTS",
+    "get_default_requirements",
+    "get_requirement",
+    "get_all_requirement_names",
+    "get_requirements_by_names",
+    "get_requirements_by_severity",
+    # Principal requirements (for principals)
+    "ALL_PRINCIPAL_REQUIREMENTS",
+    "DEFAULT_ENABLED_REQUIREMENTS",
+    "get_default_principal_requirements",
+    "get_principal_requirement",
+    "get_all_principal_requirement_names",
+    "get_principal_requirements_by_names",
+    "get_principal_requirements_by_severity",
+    # Wildcards
+    "DEFAULT_ALLOWED_WILDCARDS",
+    "DEFAULT_SERVICE_WILDCARDS",
+    # Service principals
+    "DEFAULT_SERVICE_PRINCIPALS",
+]