agskills.dev
MARKETPLACE

prowler-compliance-review

Reviews Pull Requests that add or modify compliance frameworks. Trigger: When reviewing PRs with compliance framework changes, CIS/NIST/PCI-DSS additions, or compliance JSON files.

prowler-cloud12.9k1.9k

معاينة

SKILL.md
Metadata
name
prowler-compliance-review
description
>
Trigger
When reviewing PRs with compliance framework changes, CIS/NIST/PCI-DSS additions, or compliance JSON files.
license
Apache-2.0
author
prowler-cloud
version
"1.0"
scope
[root, sdk]
auto_invoke
"Reviewing compliance framework PRs"
allowed-tools
Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task

When to Use

  • Reviewing PRs that add new compliance frameworks
  • Reviewing PRs that modify existing compliance frameworks
  • Validating compliance framework JSON structure before merge

Review Checklist (Critical)

CheckCommand/MethodPass Criteria
JSON Validpython3 -m json.tool file.jsonNo syntax errors
All Checks ExistRun validation script0 missing checks
No Duplicate IDsRun validation script0 duplicate requirement IDs
CHANGELOG EntryManual reviewPresent under correct version
Dashboard FileCompare with existingFollows established pattern
Framework MetadataManual reviewAll required fields populated

Commands

# 1. Validate JSON syntax
python3 -m json.tool prowler/compliance/{provider}/{framework}.json > /dev/null \
  && echo "Valid JSON" || echo "INVALID JSON"

# 2. Run full validation script
python3 skills/prowler-compliance-review/assets/validate_compliance.py \
  prowler/compliance/{provider}/{framework}.json

# 3. Compare dashboard with existing (find similar framework)
diff dashboard/compliance/{new_framework}.py \
     dashboard/compliance/{existing_framework}.py

Decision Tree

JSON Valid?
├── No → FAIL: Fix JSON syntax errors
└── Yes ↓
    All Checks Exist in Codebase?
    ├── Missing checks → FAIL: Add missing checks or remove from framework
    └── All exist ↓
        Duplicate Requirement IDs?
        ├── Yes → FAIL: Fix duplicate IDs
        └── No ↓
            CHANGELOG Entry Present?
            ├── No → REQUEST CHANGES: Add CHANGELOG entry
            └── Yes ↓
                Dashboard File Follows Pattern?
                ├── No → REQUEST CHANGES: Fix dashboard pattern
                └── Yes ↓
                    Framework Metadata Complete?
                    ├── No → REQUEST CHANGES: Add missing metadata
                    └── Yes → APPROVE

Framework Structure Reference

Compliance frameworks are JSON files in: prowler/compliance/{provider}/{framework}.json

{
  "Framework": "CIS",
  "Name": "CIS Provider Benchmark vX.Y.Z",
  "Version": "X.Y",
  "Provider": "AWS|Azure|GCP|...",
  "Description": "Framework description...",
  "Requirements": [
    {
      "Id": "1.1",
      "Description": "Requirement description",
      "Checks": ["check_name_1", "check_name_2"],
      "Attributes": [
        {
          "Section": "1 Section Name",
          "SubSection": "1.1 Subsection (optional)",
          "Profile": "Level 1|Level 2",
          "AssessmentStatus": "Automated|Manual",
          "Description": "...",
          "RationaleStatement": "...",
          "ImpactStatement": "...",
          "RemediationProcedure": "...",
          "AuditProcedure": "...",
          "AdditionalInformation": "...",
          "References": "...",
          "DefaultValue": "..."
        }
      ]
    }
  ]
}

Common Issues

IssueHow to DetectResolution
Missing checksValidation script reports missingAdd check implementation or remove from Checks array
Duplicate IDsValidation script reports duplicatesEnsure each requirement has unique ID
Empty Checks for AutomatedAssessmentStatus is Automated but Checks is emptyAdd checks or change to Manual
Wrong file locationFramework not in prowler/compliance/{provider}/Move to correct directory
Missing dashboard fileNo corresponding dashboard/compliance/{framework}.pyCreate dashboard file following pattern
CHANGELOG missingNot under correct version sectionAdd entry to prowler/CHANGELOG.md

Dashboard File Pattern

Dashboard files must be in dashboard/compliance/ and follow this exact pattern:

import warnings

from dashboard.common_methods import get_section_containers_cis

warnings.filterwarnings("ignore")


def get_table(data):

    aux = data[
        [
            "REQUIREMENTS_ID",
            "REQUIREMENTS_DESCRIPTION",
            "REQUIREMENTS_ATTRIBUTES_SECTION",
            "CHECKID",
            "STATUS",
            "REGION",
            "ACCOUNTID",
            "RESOURCEID",
        ]
    ].copy()

    return get_section_containers_cis(
        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
    )

Testing the Compliance Framework

After validation passes, test the framework with Prowler:

# Verify framework is detected
poetry run python prowler-cli.py {provider} --list-compliance | grep {framework}

# Run a quick test with a single check from the framework
poetry run python prowler-cli.py {provider} --compliance {framework} --check {check_name}

# Run full compliance scan (dry-run with limited checks)
poetry run python prowler-cli.py {provider} --compliance {framework} --checks-limit 5

# Generate compliance report in multiple formats
poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html

Resources