iam-policy-validator 1.6.0__tar.gz → 1.7.0__tar.gz

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.6.0
+Version: 1.7.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -212,6 +212,12 @@ jobs:
 - ✅ Simple, declarative configuration
 - ✅ Perfect for CI/CD workflows
 
+**Note:** The action uses the automatic `github.token` by default. If you need to use a custom token (e.g., for cross-repo comments or fine-grained permissions), add:
+```yaml
+        with:
+          github-token: ${{ secrets.MY_CUSTOM_TOKEN }}
+```
+
 #### With AWS Access Analyzer (Standalone Action)
 
 Use AWS's official policy validation service:
@@ -476,11 +482,12 @@ See [examples/configs/full-reference-config.yaml](examples/configs/full-referenc
 | `recursive`        | Recursively search directories for policy files             | No       | `true`  |
 
 #### GitHub Integration
-| Input            | Description                                               | Required | Default |
-| ---------------- | --------------------------------------------------------- | -------- | ------- |
-| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`  |
-| `create-review`  | Create line-specific review comments on PR files          | No       | `true`  |
-| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false` |
+| Input            | Description                                               | Required | Default        |
+| ---------------- | --------------------------------------------------------- | -------- | -------------- |
+| `github-token`   | GitHub token for posting comments and reviews             | No       | `github.token` |
+| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`         |
+| `create-review`  | Create line-specific review comments on PR files          | No       | `true`         |
+| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false`        |
 
 #### Output Options
 | Input         | Description                                                                      | Required | Default   |

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/README.md

@@ -170,6 +170,12 @@ jobs:
 - ✅ Simple, declarative configuration
 - ✅ Perfect for CI/CD workflows
 
+**Note:** The action uses the automatic `github.token` by default. If you need to use a custom token (e.g., for cross-repo comments or fine-grained permissions), add:
+```yaml
+        with:
+          github-token: ${{ secrets.MY_CUSTOM_TOKEN }}
+```
+
 #### With AWS Access Analyzer (Standalone Action)
 
 Use AWS's official policy validation service:
@@ -434,11 +440,12 @@ See [examples/configs/full-reference-config.yaml](examples/configs/full-referenc
 | `recursive`        | Recursively search directories for policy files             | No       | `true`  |
 
 #### GitHub Integration
-| Input            | Description                                               | Required | Default |
-| ---------------- | --------------------------------------------------------- | -------- | ------- |
-| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`  |
-| `create-review`  | Create line-specific review comments on PR files          | No       | `true`  |
-| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false` |
+| Input            | Description                                               | Required | Default        |
+| ---------------- | --------------------------------------------------------- | -------- | -------------- |
+| `github-token`   | GitHub token for posting comments and reviews             | No       | `github.token` |
+| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`         |
+| `create-review`  | Create line-specific review comments on PR files          | No       | `true`         |
+| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false`        |
 
 #### Output Options
 | Input         | Description                                                                      | Required | Default   |

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/action.yaml

@@ -108,6 +108,11 @@ inputs:
     required: false
     default: "warning"
 
+  github-token:
+    description: "GitHub token for posting comments and reviews. Defaults to automatic github.token"
+    required: false
+    default: ${{ github.token }}
+
 outputs:
   validation-result:
     description: "Validation result (success or failure)"
@@ -141,20 +146,39 @@ runs:
       uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.0.0
       with:
         enable-cache: true
-
-    - name: Cache dependencies
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.2.0
-      with:
-        path: ${{ github.action_path }}/.venv
-        key: ${{ runner.os }}-uv-${{ hashFiles(format('{0}/pyproject.toml', github.action_path)) }}
-        restore-keys: |
-          ${{ runner.os }}-uv-
+        cache-suffix: ci # Prune cache in CI to reduce bloat
 
     - name: Sync dependencies
       working-directory: ${{ github.action_path }}
       run: uv sync --frozen
       shell: bash
 
+    - name: Get current week for cache key
+      id: week
+      run: echo "week=$(date +%Y-W%V)" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: Restore AWS service definitions cache
+      id: cache-aws-services
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: ~/.cache/iam-validator/aws_services
+        # Cache key refreshes weekly to get latest AWS service updates
+        key: aws-services-${{ runner.os }}-${{ steps.week.outputs.week }}
+        restore-keys: |
+          aws-services-${{ runner.os }}-
+
+    - name: Check cache status
+      run: |
+        if [ -d ~/.cache/iam-validator/aws_services ]; then
+          echo "✅ Cache directory exists"
+          echo "📁 Cache files: $(ls -1 ~/.cache/iam-validator/aws_services | wc -l)"
+          ls -lh ~/.cache/iam-validator/aws_services | head -5
+        else
+          echo "❌ Cache directory does not exist - will fetch from API"
+        fi
+      shell: bash
+
     - name: Pre-validate IAM Policy Files
       id: prevalidate
       run: |
@@ -257,9 +281,11 @@ runs:
       if: steps.prevalidate.outputs.iam-policy-count > 0
       working-directory: ${{ github.action_path }}
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        GITHUB_TOKEN: ${{ inputs.github-token }}
         GITHUB_REPOSITORY: ${{ github.repository }}
-        GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+        GITHUB_WORKSPACE: ${{ github.workspace }}
+        # Try multiple ways to get PR number for different event types
+        GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.number }}
       run: |
         set -e
 
@@ -412,6 +438,13 @@ runs:
         exit ${EXIT_CODE:-0}
       shell: bash
 
+    - name: Save AWS service definitions cache
+      if: always()
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: ~/.cache/iam-validator/aws_services
+        key: aws-services-${{ runner.os }}-${{ steps.week.outputs.week }}
+
     - name: Upload validation report
       if: always() && inputs.output-file != ''
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/examples/configs/full-reference-config.yaml

@@ -134,6 +134,34 @@ settings:
     # - medium  # Uncomment to fail on medium severity
     # - warning  # Uncomment to fail on IAM validity warnings
 
+  # Template Variable Support (applies to all ARN validation checks)
+  #
+  # When enabled, the validator is POSITION-AWARE and supports ANY variable name
+  # in template variables, not just predefined ones. Variables are normalized based
+  # on their position in the ARN structure:
+  #
+  # Supported IaC Tools:
+  #   - Terraform/Terragrunt: ${var.name}, ${local.value}, ${data.source.attr}
+  #   - CloudFormation: ${AWS::AccountId}, ${AWS::Region}, ${MyParameter}
+  #   - Pulumi: ${myVariable}, ${myStack.output}
+  #   - AWS Policy Variables: ${aws:username}, ${aws:PrincipalTag/tag-key}
+  #
+  # Position-aware normalization examples:
+  #   Partition:   ${var.partition} → aws
+  #   Service:     ${var.service} → s3
+  #   Region:      ${var.region} → us-east-1
+  #   Account ID:  ${var.account_id} → 123456789012
+  #   Resource:    ${var.bucket_name} → placeholder
+  #
+  # Example ARNs that work:
+  #   arn:aws:iam::${var.account}:role/MyRole ✓
+  #   arn:aws:iam::${AWS::AccountId}:role/MyRole ✓
+  #   arn:${local.partition}:s3:::${data.bucket.name}/* ✓
+  #   arn:aws:s3:::${MY_CUSTOM_VAR}/* ✓
+  #
+  # Set to false to strictly validate ARN format without template support (default: true)
+  allow_template_variables: true
+
 # ============================================================================
 # BUILT-IN CHECKS - AWS Validation (17 checks total)
 # ============================================================================
@@ -259,9 +287,13 @@ resource_validation:
   enabled: true
   severity: error
   description: "Validates ARN format for resources"
-  # Regex pattern for ARN validation
-  # Pattern allows wildcards (*) in region and account fields
-  arn_pattern: "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$"
+
+  # Regex pattern for ARN validation (optional - override default if needed)
+  # Default pattern defined in: iam_validator/core/constants.py (DEFAULT_ARN_VALIDATION_PATTERN)
+  # Pattern allows wildcards (*) in region and account fields for flexibility
+  # Only override if you need stricter or more lenient validation
+  # arn_pattern: "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$"
+
   # ignore_patterns available - see top of file for usage examples
 
 # ============================================================================
@@ -423,7 +455,7 @@ policy_type_validation:
 #   - s3:ListBucket with object ARN (needs bucket ARN without /)
 action_resource_matching:
   enabled: true
-  severity: error  # IAM validity error - these policies won't work as expected
+  severity: error # IAM validity error - these policies won't work as expected
   description: "Validates that resources match required types for actions (including account-level actions)"
 
   # Example ignore patterns (commented out by default)

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.6.0"
+__version__ = "1.7.0"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/action_condition_enforcement.py

@@ -794,7 +794,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n{example}")
+            parts.append(f"Example:\n```json\n{example}\n```")
         else:
             # Auto-generate example
             example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/action_resource_matching.py

@@ -27,6 +27,8 @@ from iam_validator.core.models import Statement, ValidationIssue
 from iam_validator.sdk.arn_matching import (
     arn_strictly_valid,
     convert_aws_pattern_to_wildcard,
+    has_template_variables,
+    normalize_template_variables,
 )
 
 
@@ -71,6 +73,13 @@ class ActionResourceMatchingCheck(PolicyCheck):
         """
         issues = []
 
+        # Check if template variable support is enabled (default: true)
+        # Try global settings first, then check-specific config
+        allow_template_variables = config.root_config.get("settings", {}).get(
+            "allow_template_variables",
+            config.config.get("allow_template_variables", True),
+        )
+
         # Get actions and resources
         actions = statement.get_actions()
         resources = statement.get_resources()
@@ -157,7 +166,13 @@ class ActionResourceMatchingCheck(PolicyCheck):
 
                 # Check if any policy resource matches this ARN pattern
                 for resource in resources:
-                    if arn_strictly_valid(wildcard_pattern, resource, resource_name):
+                    # Normalize template variables (Terraform/CloudFormation) before matching
+                    # This allows policies with ${aws_account_id}, ${AWS::AccountId}, etc.
+                    validation_resource = resource
+                    if allow_template_variables and has_template_variables(resource):
+                        validation_resource = normalize_template_variables(resource)
+
+                    if arn_strictly_valid(wildcard_pattern, validation_resource, resource_name):
                         match_found = True
                         break
 
@@ -185,8 +200,8 @@ class ActionResourceMatchingCheck(PolicyCheck):
                 issues.append(
                     self._create_mismatch_issue(
                         action=action,
-                        required_format=required_formats[0]["format"] if required_formats else "",
-                        required_type=required_formats[0]["type"] if required_formats else "",
+                        required_format=(required_formats[0]["format"] if required_formats else ""),
+                        required_type=(required_formats[0]["type"] if required_formats else ""),
                         provided_resources=resources,
                         statement_idx=statement_idx,
                         statement_sid=statement_sid,
@@ -236,9 +251,11 @@ class ActionResourceMatchingCheck(PolicyCheck):
             issue_type="resource_mismatch",
             message=message,
             action=action,
-            resource=", ".join(provided_resources)
-            if len(provided_resources) <= 3
-            else f"{provided_resources[0]}...",
+            resource=(
+                ", ".join(provided_resources)
+                if len(provided_resources) <= 3
+                else f"{provided_resources[0]}..."
+            ),
             suggestion=suggestion,
             line_number=line_number,
         )

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/full_wildcard.py

@@ -50,7 +50,11 @@ class FullWildcardCheck(PolicyCheck):
             example = config.config.get("example", "")
 
             # Combine suggestion + example
-            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+            suggestion = (
+                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
+                if example
+                else suggestion_text
+            )
 
             issues.append(
                 ValidationIssue(

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/policy_size.py

@@ -16,6 +16,7 @@ from typing import TYPE_CHECKING
 
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.constants import AWS_POLICY_SIZE_LIMITS
 from iam_validator.core.models import Statement, ValidationIssue
 
 if TYPE_CHECKING:
@@ -25,13 +26,8 @@ if TYPE_CHECKING:
 class PolicySizeCheck(PolicyCheck):
     """Validates that IAM policies don't exceed AWS size limits."""
 
-    # AWS IAM policy size limits (in characters, excluding whitespace)
-    DEFAULT_LIMITS = {
-        "managed": 6144,
-        "inline_user": 2048,
-        "inline_group": 5120,
-        "inline_role": 10240,
-    }
+    # AWS IAM policy size limits (loaded from constants module)
+    DEFAULT_LIMITS = AWS_POLICY_SIZE_LIMITS
 
     @property
     def check_id(self) -> str:

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/policy_type_validation.py

@@ -71,6 +71,7 @@ async def execute_policy(
                         line_number=statement.line_number,
                         suggestion="Add a Principal element to specify who can access this resource.\n"
                         "Example:\n"
+                        "```json\n"
                         "{\n"
                         '  "Effect": "Allow",\n'
                         '  "Principal": {\n'
@@ -78,7 +79,8 @@ async def execute_policy(
                         "  },\n"
                         '  "Action": "s3:GetObject",\n'
                         '  "Resource": "arn:aws:s3:::bucket/*"\n'
-                        "}",
+                        "}\n"
+                        "```",
                     )
                 )
 
@@ -101,11 +103,13 @@ async def execute_policy(
                         line_number=statement.line_number,
                         suggestion="Remove the Principal element from this identity policy statement.\n"
                         "Example:\n"
+                        "```json\n"
                         "{\n"
                         '  "Effect": "Allow",\n'
                         '  "Action": "s3:GetObject",\n'
                         '  "Resource": "arn:aws:s3:::bucket/*"\n'
-                        "}",
+                        "}\n"
+                        "```",
                     )
                 )
 
@@ -127,6 +131,7 @@ async def execute_policy(
                         line_number=statement.line_number,
                         suggestion="Remove the Principal element from this SCP statement.\n"
                         "Example:\n"
+                        "```json\n"
                         "{\n"
                         '  "Effect": "Deny",\n'
                         '  "Action": "ec2:*",\n'
@@ -136,7 +141,8 @@ async def execute_policy(
                         '      "ec2:Region": ["us-east-1", "us-west-2"]\n'
                         "    }\n"
                         "  }\n"
-                        "}",
+                        "}\n"
+                        "```",
                     )
                 )
 

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/principal_validation.py

@@ -668,7 +668,7 @@ class PrincipalValidationCheck(PolicyCheck):
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n{example}")
+            parts.append(f"Example:\n```json\n{example}\n```")
         else:
             # Auto-generate example
             example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']

iam_policy_validator-1.7.0/iam_validator/checks/resource_validation.py

@@ -0,0 +1,138 @@
+"""Resource validation check - validates ARN formats."""
+
+import re
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.constants import DEFAULT_ARN_VALIDATION_PATTERN, MAX_ARN_LENGTH
+from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.sdk.arn_matching import (
+    has_template_variables,
+    normalize_template_variables,
+)
+
+
+class ResourceValidationCheck(PolicyCheck):
+    """Validates ARN format for resources."""
+
+    @property
+    def check_id(self) -> str:
+        return "resource_validation"
+
+    @property
+    def description(self) -> str:
+        return "Validates ARN format for resources"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute resource ARN validation on a statement."""
+        issues = []
+
+        # Get resources from statement
+        resources = statement.get_resources()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Get ARN pattern from config, or use default
+        # Pattern allows wildcards (*) in region and account fields
+        arn_pattern_str = config.config.get("arn_pattern", DEFAULT_ARN_VALIDATION_PATTERN)
+
+        # Compile pattern
+        try:
+            arn_pattern = re.compile(arn_pattern_str)
+        except re.error:
+            # Fallback to default pattern if custom pattern is invalid
+            arn_pattern = re.compile(DEFAULT_ARN_VALIDATION_PATTERN)
+
+        # Check if template variable support is enabled (default: true)
+        # Try global settings first, then check-specific config
+        allow_template_variables = config.root_config.get("settings", {}).get(
+            "allow_template_variables",
+            config.config.get("allow_template_variables", True),
+        )
+
+        for resource in resources:
+            # Skip wildcard resources (handled by security checks)
+            if resource == "*":
+                continue
+
+            # Validate ARN length to prevent ReDoS attacks
+            if len(resource) > MAX_ARN_LENGTH:
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Resource ARN exceeds maximum length ({len(resource)} > {MAX_ARN_LENGTH}): {resource[:100]}...",
+                        resource=resource[:100] + "...",
+                        suggestion="ARN is too long and may be invalid",
+                        line_number=line_number,
+                    )
+                )
+                continue
+
+            # Check if resource contains template variables
+            has_templates = has_template_variables(resource)
+
+            # If template variables are found and allowed, normalize them for validation
+            validation_resource = resource
+            if has_templates and allow_template_variables:
+                validation_resource = normalize_template_variables(resource)
+
+            # Validate ARN format
+            try:
+                if not arn_pattern.match(validation_resource):
+                    # If original resource had templates and normalization didn't help,
+                    # provide a more informative message
+                    if has_templates and allow_template_variables:
+                        issues.append(
+                            ValidationIssue(
+                                severity=self.get_severity(config),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="invalid_resource",
+                                message=f"Invalid ARN format even after normalizing template variables: {resource}",
+                                resource=resource,
+                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource (template variables like ${aws_account_id} are supported)",
+                                line_number=line_number,
+                            )
+                        )
+                    else:
+                        issues.append(
+                            ValidationIssue(
+                                severity=self.get_severity(config),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="invalid_resource",
+                                message=f"Invalid ARN format: {resource}",
+                                resource=resource,
+                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource",
+                                line_number=line_number,
+                            )
+                        )
+            except Exception:
+                # If regex matching fails (shouldn't happen with length check), treat as invalid
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Could not validate ARN format: {resource}",
+                        resource=resource,
+                        suggestion="ARN validation failed - may contain unexpected characters",
+                        line_number=line_number,
+                    )
+                )
+
+        return issues

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/sensitive_action.py

@@ -143,7 +143,11 @@ class SensitiveActionCheck(PolicyCheck):
             )
 
             # Combine suggestion + example
-            suggestion = f"{suggestion_text}\n\nExample:\n{example}" if example else suggestion_text
+            suggestion = (
+                f"{suggestion_text}\n\nExample:\n```json\n{example}\n```"
+                if example
+                else suggestion_text
+            )
 
             # Determine severity based on the highest severity action in the list
             # If single action, use its category severity

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/service_wildcard.py

@@ -69,7 +69,9 @@ class ServiceWildcardCheck(PolicyCheck):
 
                     # Combine suggestion + example
                     suggestion = (
-                        f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                        f"{suggestion_text}\nExample:\n```json\n{example}\n```"
+                        if example
+                        else suggestion_text
                     )
 
                     issues.append(

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/wildcard_action.py

@@ -40,12 +40,17 @@ class WildcardActionCheck(PolicyCheck):
         if "*" in actions:
             message = config.config.get("message", "Statement allows all actions (*)")
             suggestion_text = config.config.get(
-                "suggestion", "Replace wildcard with specific actions needed for your use case"
+                "suggestion",
+                "Replace wildcard with specific actions needed for your use case",
             )
             example = config.config.get("example", "")
 
             # Combine suggestion + example
-            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+            suggestion = (
+                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
+                if example
+                else suggestion_text
+            )
 
             issues.append(
                 ValidationIssue(

{iam_policy_validator-1.6.0 → iam_policy_validator-1.7.0}/iam_validator/checks/wildcard_resource.py

@@ -69,7 +69,11 @@ class WildcardResourceCheck(PolicyCheck):
             example = config.config.get("example", "")
 
             # Combine suggestion + example
-            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+            suggestion = (
+                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
+                if example
+                else suggestion_text
+            )
 
             issues.append(
                 ValidationIssue(