iam-policy-validator 1.9.0__py3-none-any.whl → 1.10.1__py3-none-any.whl

{iam_policy_validator-1.9.0.dist-info → iam_policy_validator-1.10.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.9.0
+Version: 1.10.1
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.9.0.dist-info → iam_policy_validator-1.10.1.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=IUF2zxBY8L_m2_x_tEDJHqdJthjPhXgbZg7CYXJCCrA,361
+iam_validator/__version__.py,sha256=SRRdMee5oIovcL25-xNSjSxoHM9bzGQhwmx_U4YhnXQ,362
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
 iam_validator/checks/action_condition_enforcement.py,sha256=0dCH_xX-Xc0uLxtNeRjrpNjWYbdWQRzO1XNcLTSn6sI,51698
 iam_validator/checks/action_resource_matching.py,sha256=WiGJmCIJfx5yituMjZxpKmk-99N6nK20ueN02ddy9oM,19296
@@ -31,7 +31,7 @@ iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gz
 iam_validator/commands/cache.py,sha256=llfyQzPE5Azd5YcW0ohYcYjF_OCyiQ1GoJQ982t71lQ,14294
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=Z6GHLeKV8oINSTXaZ0asBxa56S1G4ORwOBqrAz3Xx-M,23945
+iam_validator/commands/validate.py,sha256=cvrgYagYm7W29MYsitZsLcttIIqVKQMRm-bCGY7N3fU,24355
 iam_validator/core/__init__.py,sha256=hYXkSbxplKzhM6dqrVzV4M3k7GKLsZbgExypxKq74gs,376
 iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
 iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
@@ -41,10 +41,11 @@ iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,384
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
 iam_validator/core/constants.py,sha256=cVBPgbXr4ALltH_NTSKsgBi6wmndLnOyUWhyBx0ZwrM,6113
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
-iam_validator/core/models.py,sha256=f5d9ovtO1xMSwhyBrKIgc2psEq0eugnd3S3ioqurqEE,13242
+iam_validator/core/label_manager.py,sha256=48CRASWg98wyjfVF_1pUzj6dm9itzmG7SeIWf0TSUfc,7502
+iam_validator/core/models.py,sha256=yQ5iBTffdAzx88h8RyVCCmBg6kkD2zg5_lb-qLdjy3w,13386
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=2KJnXzGg3g9pDXWZHk3DO0xpZnZZ-wXWFEOdQ_naJ8s,17862
-iam_validator/core/pr_commenter.py,sha256=MU-t7SfdHUpSc6BDbh8_dNAbxDiG-bZBCry-jUXivAc,15066
+iam_validator/core/pr_commenter.py,sha256=NTKoSmjvspYX2rbl3Xn8d611XkTNSfYlGUY0zBHBP4g,16801
 iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
 iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
 iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
@@ -53,14 +54,14 @@ iam_validator/core/aws_service/fetcher.py,sha256=X4iI6fiLj4l9f3W6_J0E58lSP26UsBh
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
 iam_validator/core/aws_service/storage.py,sha256=PrfKdvF60IL7E_8xYs_XwFoAJPRcVYw57FVLHCoqwVk,10429
-iam_validator/core/aws_service/validators.py,sha256=rgCScqEjXNH8xNg2R91eJbb4eIV3jZN7a6VW0n0hgA4,16347
+iam_validator/core/aws_service/validators.py,sha256=AY0BjydskXoesEzUShH4gZKp6gtSX7s1rCLP_iOZQMc,16493
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
 iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
 iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
 iam_validator/core/config/condition_requirements.py,sha256=qauIP73HFnOw1dchUeFpg1x7Y7QWkILo3GfxV_dxdQo,7696
 iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
-iam_validator/core/config/defaults.py,sha256=rWzDrlw0AAudtm_If6zjNFvruLg71jpLJEdRgKYSKMQ,27917
+iam_validator/core/config/defaults.py,sha256=qpFP534dgCQ-vjCdhkK7ZslDoTm9Ftgy20qmYZsSYUI,28637
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -82,14 +83,14 @@ iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urch
 iam_validator/sdk/context.py,sha256=FvAEyUa_s7tHWoSdgjSkzHf1CLlYpAEmLZANxs2IJ4A,6826
 iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
 iam_validator/sdk/helpers.py,sha256=sjfK0na_Fo7O8GhEVhl44rVHqOdw6nAKkBL4FVL-QdU,5697
-iam_validator/sdk/policy_utils.py,sha256=CZS1OGSdiWsd2lsCwg0BDcUNWa61tUwgvn-P5rKqeN8,12987
+iam_validator/sdk/policy_utils.py,sha256=Fh-QElhmPypzSJuF9rcrY7y46Gz3hQu3-yN5b1_mSHY,13579
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
 iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.9.0.dist-info/METADATA,sha256=y2uizxt2ScM8UTUd1UPHqkazCKhTMdyzVGKFEJQqc18,19069
-iam_policy_validator-1.9.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.9.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.9.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.9.0.dist-info/RECORD,,
+iam_policy_validator-1.10.1.dist-info/METADATA,sha256=lIMmE1Y6TX34sh3stfe9J2_q5ATb9fYZqVqOupYNcL8,19070
+iam_policy_validator-1.10.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.10.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.10.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.10.1.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.9.0"
+__version__ = "1.10.1"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-")[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/commands/validate.py

@@ -302,12 +302,17 @@ Examples:
             from iam_validator.core.config.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
-            # Load config to get fail_on_severity setting
+            # Load config to get fail_on_severity and severity_labels settings
             config = ConfigLoader.load_config(config_path)
             fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+            severity_labels = config.get_setting("severity_labels", {})
 
             async with GitHubIntegration() as github:
-                commenter = PRCommenter(github, fail_on_severities=fail_on_severities)
+                commenter = PRCommenter(
+                    github,
+                    fail_on_severities=fail_on_severities,
+                    severity_labels=severity_labels,
+                )
                 success = await commenter.post_findings_to_pr(
                     report,
                     create_review=getattr(args, "github_review", False),
@@ -426,12 +431,17 @@ Examples:
             from iam_validator.core.config.config_loader import ConfigLoader
             from iam_validator.core.pr_commenter import PRCommenter
 
-            # Load config to get fail_on_severity setting
+            # Load config to get fail_on_severity and severity_labels settings
             config = ConfigLoader.load_config(config_path)
             fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+            severity_labels = config.get_setting("severity_labels", {})
 
             async with GitHubIntegration() as github:
-                commenter = PRCommenter(github, fail_on_severities=fail_on_severities)
+                commenter = PRCommenter(
+                    github,
+                    fail_on_severities=fail_on_severities,
+                    severity_labels=severity_labels,
+                )
                 success = await commenter.post_findings_to_pr(
                     report,
                     create_review=False,  # Already posted per-file reviews in streaming mode

iam_validator/core/aws_service/validators.py

@@ -280,9 +280,12 @@ class ServiceValidator:
                     "- `aws:RequestedRegion`\n"
                     "- `aws:SourceIp`\n"
                     "- `aws:SourceVpce`\n"
-                    "- `aws:UserAgent`\n"
+                    "- `aws:ResourceOrgID`\n"
+                    "- `aws:PrincipalOrgID`\n"
+                    "- `aws:SourceAccount`\n"
+                    "- `aws:PrincipalAccount`\n"
                     "- `aws:CurrentTime`\n"
-                    "- `aws:SecureTransport`\n"
+                    "- `aws:ResourceAccount`\n"
                     "- `aws:PrincipalArn`\n"
                     "- And many others"
                 )

iam_validator/core/config/defaults.py

@@ -75,6 +75,16 @@ DEFAULT_CONFIG = {
         # IAM Validity: error, warning, info
         # Security: critical, high, medium, low
         "fail_on_severity": list(constants.HIGH_SEVERITY_LEVELS),
+        # GitHub PR label mapping based on severity findings
+        # When issues with these severities are found, apply the corresponding labels
+        # If no issues with these severities exist, remove the labels if present
+        # Supports both single labels and lists of labels per severity
+        # Examples:
+        #   Single label per severity: {"error": "iam-validity-error", "critical": "security-critical"}
+        #   Multiple labels per severity: {"error": ["iam-error", "needs-fix"], "critical": ["security-critical", "needs-review"]}
+        #   Mixed: {"error": "iam-validity-error", "critical": ["security-critical", "needs-review"]}
+        # Default: {} (disabled)
+        "severity_labels": {},
     },
     # ========================================================================
     # AWS IAM Validation Checks (17 checks total)

iam_validator/core/label_manager.py

@@ -0,0 +1,197 @@
+"""Label Manager for GitHub PR Labels based on Severity Findings.
+
+This module manages GitHub PR labels based on IAM policy validation severity findings.
+When validation finds issues with specific severities, it applies corresponding labels.
+When those severities are not found, it removes the labels if present.
+"""
+
+import logging
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import PolicyValidationResult, ValidationReport
+    from iam_validator.integrations.github_integration import GitHubIntegration
+
+logger = logging.getLogger(__name__)
+
+
+class LabelManager:
+    """Manages GitHub PR labels based on severity findings."""
+
+    def __init__(
+        self,
+        github: "GitHubIntegration",
+        severity_labels: dict[str, str | list[str]] | None = None,
+    ):
+        """Initialize label manager.
+
+        Args:
+            github: GitHubIntegration instance for API calls
+            severity_labels: Mapping of severity levels to label name(s)
+                           Supports both single labels and lists of labels per severity.
+                           Examples:
+                             - Single label per severity:
+                               {"error": "iam-validity-error", "critical": "security-critical"}
+                             - Multiple labels per severity:
+                               {"error": ["iam-error", "needs-fix"], "critical": ["security-critical", "needs-security-review"]}
+                             - Mixed:
+                               {"error": "iam-validity-error", "critical": ["security-critical", "needs-review"]}
+        """
+        self.github = github
+        self.severity_labels = severity_labels or {}
+
+    def is_enabled(self) -> bool:
+        """Check if label management is enabled.
+
+        Returns:
+            True if severity_labels is configured and GitHub is configured
+        """
+        return bool(self.severity_labels) and self.github.is_configured()
+
+    def _get_severities_in_results(self, results: list["PolicyValidationResult"]) -> set[str]:
+        """Extract all severity levels found in validation results.
+
+        Args:
+            results: List of PolicyValidationResult objects
+
+        Returns:
+            Set of severity levels found (e.g., {"error", "critical", "high"})
+        """
+        severities = set()
+        for result in results:
+            for issue in result.issues:
+                severities.add(issue.severity)
+        return severities
+
+    def _get_severities_in_report(self, report: "ValidationReport") -> set[str]:
+        """Extract all severity levels found in validation report.
+
+        Args:
+            report: ValidationReport object
+
+        Returns:
+            Set of severity levels found (e.g., {"error", "critical", "high"})
+        """
+        return self._get_severities_in_results(report.results)
+
+    def _determine_labels_to_apply(self, found_severities: set[str]) -> set[str]:
+        """Determine which labels should be applied based on found severities.
+
+        Args:
+            found_severities: Set of severity levels found in validation
+
+        Returns:
+            Set of label names to apply
+        """
+        labels_to_apply = set()
+        for severity, labels in self.severity_labels.items():
+            if severity in found_severities:
+                # Support both single labels and lists of labels
+                if isinstance(labels, list):
+                    labels_to_apply.update(labels)
+                else:
+                    labels_to_apply.add(labels)
+        return labels_to_apply
+
+    def _determine_labels_to_remove(self, found_severities: set[str]) -> set[str]:
+        """Determine which labels should be removed based on missing severities.
+
+        Args:
+            found_severities: Set of severity levels found in validation
+
+        Returns:
+            Set of label names to remove
+        """
+        labels_to_remove = set()
+        for severity, labels in self.severity_labels.items():
+            if severity not in found_severities:
+                # Support both single labels and lists of labels
+                if isinstance(labels, list):
+                    labels_to_remove.update(labels)
+                else:
+                    labels_to_remove.add(labels)
+        return labels_to_remove
+
+    async def manage_labels_from_results(
+        self, results: list["PolicyValidationResult"]
+    ) -> tuple[bool, int, int]:
+        """Manage PR labels based on validation results.
+
+        This method will:
+        1. Determine which severity levels are present in the results
+        2. Add labels for severities that are found
+        3. Remove labels for severities that are not found
+
+        Args:
+            results: List of PolicyValidationResult objects
+
+        Returns:
+            Tuple of (success, labels_added, labels_removed)
+        """
+        if not self.is_enabled():
+            logger.debug("Label management not enabled (no severity_labels configured)")
+            return (True, 0, 0)
+
+        # Get all severities found in results
+        found_severities = self._get_severities_in_results(results)
+        logger.debug(f"Found severities in results: {found_severities}")
+
+        # Determine which labels to apply/remove
+        labels_to_apply = self._determine_labels_to_apply(found_severities)
+        labels_to_remove = self._determine_labels_to_remove(found_severities)
+
+        logger.debug(f"Labels to apply: {labels_to_apply}")
+        logger.debug(f"Labels to remove: {labels_to_remove}")
+
+        # Get current labels on PR
+        current_labels = set(await self.github.get_labels())
+        logger.debug(f"Current PR labels: {current_labels}")
+
+        # Filter: only add labels that aren't already present
+        labels_to_add = labels_to_apply - current_labels
+
+        # Filter: only remove labels that are currently present
+        labels_to_actually_remove = labels_to_remove & current_labels
+
+        success = True
+        added_count = 0
+        removed_count = 0
+
+        # Add new labels
+        if labels_to_add:
+            logger.info(f"Adding labels to PR: {labels_to_add}")
+            if await self.github.add_labels(list(labels_to_add)):
+                added_count = len(labels_to_add)
+            else:
+                logger.error("Failed to add labels to PR")
+                success = False
+
+        # Remove old labels
+        for label in labels_to_actually_remove:
+            logger.info(f"Removing label from PR: {label}")
+            if await self.github.remove_label(label):
+                removed_count += 1
+            else:
+                logger.error(f"Failed to remove label: {label}")
+                success = False
+
+        if added_count > 0 or removed_count > 0:
+            logger.info(f"Label management complete: added {added_count}, removed {removed_count}")
+        else:
+            logger.debug("No label changes needed")
+
+        return (success, added_count, removed_count)
+
+    async def manage_labels_from_report(self, report: "ValidationReport") -> tuple[bool, int, int]:
+        """Manage PR labels based on validation report.
+
+        This is a convenience method that extracts results from the report
+        and calls manage_labels_from_results().
+
+        Args:
+            report: ValidationReport object
+
+        Returns:
+            Tuple of (success, labels_added, labels_removed)
+        """
+        return await self.manage_labels_from_results(report.results)

iam_validator/core/models.py

@@ -31,7 +31,7 @@ class ServiceInfo(BaseModel):
 class ActionDetail(BaseModel):
     """Details about an AWS IAM action."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True)
 
     name: str = Field(alias="Name")
     action_condition_keys: list[str] | None = Field(
@@ -45,7 +45,7 @@ class ActionDetail(BaseModel):
 class ResourceType(BaseModel):
     """Details about an AWS resource type."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True)
 
     name: str = Field(alias="Name")
     arn_formats: list[str] | None = Field(default=None, alias="ARNFormats")
@@ -68,7 +68,7 @@ class ResourceType(BaseModel):
 class ConditionKey(BaseModel):
     """Details about an AWS condition key."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True)
 
     name: str = Field(alias="Name")
     description: str | None = Field(default=None, alias="Description")
@@ -78,7 +78,7 @@ class ConditionKey(BaseModel):
 class ServiceDetail(BaseModel):
     """Detailed information about an AWS service."""
 
-    model_config = ConfigDict(populate_by_name=True)
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True)
 
     name: str = Field(alias="Name")
     prefix: str | None = None  # Not always present in API response
@@ -106,7 +106,7 @@ class ServiceDetail(BaseModel):
 class Statement(BaseModel):
     """IAM policy statement."""
 
-    model_config = ConfigDict(populate_by_name=True, extra="allow")
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True, extra="allow")
 
     sid: str | None = Field(default=None, alias="Sid")
     effect: str | None = Field(default=None, alias="Effect")
@@ -136,7 +136,7 @@ class Statement(BaseModel):
 class IAMPolicy(BaseModel):
     """IAM policy document."""
 
-    model_config = ConfigDict(populate_by_name=True, extra="allow")
+    model_config = ConfigDict(validate_by_name=True, validate_by_alias=True, extra="allow")
 
     version: str | None = Field(default=None, alias="Version")
     statement: list[Statement] | None = Field(default=None, alias="Statement")

iam_validator/core/pr_commenter.py

@@ -13,7 +13,9 @@ from iam_validator.core.constants import (
     REVIEW_IDENTIFIER,
     SUMMARY_IDENTIFIER,
 )
+from iam_validator.core.label_manager import LabelManager
 from iam_validator.core.models import ValidationIssue, ValidationReport
+from iam_validator.core.report import ReportGenerator
 from iam_validator.integrations.github_integration import GitHubIntegration, ReviewEvent
 
 logger = logging.getLogger(__name__)
@@ -32,6 +34,7 @@ class PRCommenter:
         github: GitHubIntegration | None = None,
         cleanup_old_comments: bool = True,
         fail_on_severities: list[str] | None = None,
+        severity_labels: dict[str, str | list[str]] | None = None,
     ):
         """Initialize PR commenter.
 
@@ -40,16 +43,24 @@ class PRCommenter:
             cleanup_old_comments: Whether to clean up old bot comments before posting new ones
             fail_on_severities: List of severity levels that should trigger REQUEST_CHANGES
                                (e.g., ["error", "critical", "high"])
+            severity_labels: Mapping of severity levels to label name(s) for automatic label management
+                           Supports both single labels and lists of labels per severity.
+                           Examples:
+                             - Single: {"error": "iam-validity-error", "critical": "security-critical"}
+                             - Multiple: {"error": ["iam-error", "needs-fix"], "critical": ["security-critical", "needs-review"]}
+                             - Mixed: {"error": "iam-validity-error", "critical": ["security-critical", "needs-review"]}
         """
         self.github = github
         self.cleanup_old_comments = cleanup_old_comments
         self.fail_on_severities = fail_on_severities or ["error", "critical"]
+        self.severity_labels = severity_labels or {}
 
     async def post_findings_to_pr(
         self,
         report: ValidationReport,
         create_review: bool = True,
         add_summary_comment: bool = True,
+        manage_labels: bool = True,
     ) -> bool:
         """Post validation findings to a PR.
 
@@ -57,6 +68,7 @@ class PRCommenter:
             report: Validation report with findings
             create_review: Whether to create a PR review with line comments
             add_summary_comment: Whether to add a summary comment
+            manage_labels: Whether to manage PR labels based on severity findings
 
         Returns:
             True if successful, False otherwise
@@ -81,8 +93,6 @@ class PRCommenter:
 
         # Post summary comment (potentially as multiple parts)
         if add_summary_comment:
-            from iam_validator.core.report import ReportGenerator
-
             generator = ReportGenerator()
             comment_parts = generator.generate_github_comment_parts(report)
 
@@ -104,6 +114,18 @@ class PRCommenter:
                 logger.error("Failed to post review comments")
                 success = False
 
+        # Manage PR labels based on severity findings
+        if manage_labels and self.severity_labels:
+            label_manager = LabelManager(self.github, self.severity_labels)
+            label_success, added, removed = await label_manager.manage_labels_from_report(report)
+
+            if not label_success:
+                logger.error("Failed to manage PR labels")
+                success = False
+            else:
+                if added > 0 or removed > 0:
+                    logger.info(f"Label management: added {added}, removed {removed}")
+
         return success
 
     async def _post_review_comments(self, report: ValidationReport) -> bool:
@@ -288,7 +310,7 @@ class PRCommenter:
 
             return mapping
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.warning(f"Could not parse {policy_file} for line mapping: {e}")
             return {}
 
@@ -369,7 +391,7 @@ class PRCommenter:
 
             return None
 
-        except Exception as e:
+        except Exception as e:  # pylint: disable=broad-exception-caught
             logger.debug(f"Could not search {policy_file}: {e}")
             return None
 
@@ -398,15 +420,20 @@ async def post_report_to_pr(
 
         report = ValidationReport.model_validate(report_data)
 
-        # Load config to get fail_on_severity setting
+        # Load config to get fail_on_severity and severity_labels settings
         from iam_validator.core.config.config_loader import ConfigLoader
 
         config = ConfigLoader.load_config(config_path)
         fail_on_severities = config.get_setting("fail_on_severity", ["error", "critical"])
+        severity_labels = config.get_setting("severity_labels", {})
 
         # Post to PR
         async with GitHubIntegration() as github:
-            commenter = PRCommenter(github, fail_on_severities=fail_on_severities)
+            commenter = PRCommenter(
+                github,
+                fail_on_severities=fail_on_severities,
+                severity_labels=severity_labels,
+            )
             return await commenter.post_findings_to_pr(
                 report,
                 create_review=create_review,
@@ -419,6 +446,6 @@ async def post_report_to_pr(
     except json.JSONDecodeError as e:
         logger.error(f"Invalid JSON in report file: {e}")
         return False
-    except Exception as e:
+    except Exception as e:  # pylint: disable=broad-exception-caught
         logger.error(f"Failed to post report to PR: {e}")
         return False

iam_validator/sdk/policy_utils.py

@@ -63,9 +63,13 @@ def normalize_policy(policy: IAMPolicy) -> IAMPolicy:
     """
     # Pydantic model already handles this via Field(alias="Statement")
     # which expects a list, but we can ensure it's always a list
-    statements: list[Statement] = (
-        policy.statement if isinstance(policy.statement, list) else [policy.statement]
-    )
+    if policy.statement is None:
+        statements: list[Statement] = []
+    elif isinstance(policy.statement, list):
+        statements = policy.statement
+    else:
+        # Single statement - wrap in list
+        statements = [policy.statement]
 
     # Normalize actions and resources in each statement
     normalized_statements: list[Statement] = []
@@ -118,6 +122,9 @@ def extract_actions(policy: IAMPolicy) -> list[str]:
     """
     actions = set()
 
+    if policy.statement is None:
+        return []
+
     for stmt in policy.statement:
         # Handle Action field
         if stmt.action:
@@ -150,6 +157,9 @@ def extract_resources(policy: IAMPolicy) -> list[str]:
     """
     resources = set()
 
+    if policy.statement is None:
+        return []
+
     for stmt in policy.statement:
         # Handle Resource field
         if stmt.resource:
@@ -181,7 +191,10 @@ def extract_condition_keys(policy: IAMPolicy) -> list[str]:
         >>> keys = extract_condition_keys(policy)
         >>> print(f"Policy uses condition keys: {', '.join(keys)}")
     """
-    condition_keys = set()
+    condition_keys: set[str] = set()
+
+    if policy.statement is None:
+        return []
 
     for stmt in policy.statement:
         if stmt.condition:
@@ -216,6 +229,9 @@ def find_statements_with_action(policy: IAMPolicy, action: str) -> list[Statemen
 
     matching_statements = []
 
+    if policy.statement is None:
+        return []
+
     for stmt in policy.statement:
         stmt_actions = stmt.get_actions()
 
@@ -250,6 +266,9 @@ def find_statements_with_resource(policy: IAMPolicy, resource: str) -> list[Stat
 
     matching_statements = []
 
+    if policy.statement is None:
+        return []
+
     for stmt in policy.statement:
         stmt_resources = stmt.get_resources()
 
@@ -286,7 +305,8 @@ def merge_policies(*policies: IAMPolicy) -> IAMPolicy:
 
     all_statements: list[Statement] = []
     for policy in policies:
-        all_statements.extend(policy.statement)
+        if policy.statement is not None:
+            all_statements.extend(policy.statement)
 
     # Use capitalized field names (aliases) for Pydantic model construction
     return IAMPolicy(
@@ -318,8 +338,9 @@ def get_policy_summary(policy: IAMPolicy) -> dict[str, Any]:
     condition_keys = extract_condition_keys(policy)
 
     # Count allow vs deny statements
-    allow_count = sum(1 for s in policy.statement if s.effect.lower() == "allow")
-    deny_count = sum(1 for s in policy.statement if s.effect.lower() == "deny")
+    statements = policy.statement or []
+    allow_count = sum(1 for s in statements if s.effect and s.effect.lower() == "allow")
+    deny_count = sum(1 for s in statements if s.effect and s.effect.lower() == "deny")
 
     # Check for wildcards
     has_wildcard_actions = any("*" in action for action in actions)
@@ -327,7 +348,7 @@ def get_policy_summary(policy: IAMPolicy) -> dict[str, Any]:
 
     return {
         "version": policy.version,
-        "statement_count": len(policy.statement),
+        "statement_count": len(statements),
         "allow_statements": allow_count,
         "deny_statements": deny_count,
         "action_count": len(actions),
@@ -396,6 +417,8 @@ def is_resource_policy(policy: IAMPolicy) -> bool:
         >>> if is_resource_policy(policy):
         ...     print("This is an S3 bucket policy or similar")
     """
+    if policy.statement is None:
+        return False
     return any(stmt.principal is not None for stmt in policy.statement)
 
 
@@ -414,6 +437,9 @@ def has_public_access(policy: IAMPolicy) -> bool:
         >>> if has_public_access(policy):
         ...     print("WARNING: This policy allows public access!")
     """
+    if policy.statement is None:
+        return False
+
     for stmt in policy.statement:
         if stmt.principal == "*":
             return True