playbooks

home / skills / prowler-cloud / prowler / prowler-compliance-review

prowler-compliance-review skill

/skills/prowler-compliance-review

This skill reviews and validates compliance framework PRs, ensuring JSON integrity, metadata completeness, and dashboard alignment.

npx playbooks add skill prowler-cloud/prowler --skill prowler-compliance-review

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
5.7 KB
---
name: prowler-compliance-review
description: >
  Reviews Pull Requests that add or modify compliance frameworks.
  Trigger: When reviewing PRs with compliance framework changes, CIS/NIST/PCI-DSS additions, or compliance JSON files.
license: Apache-2.0
metadata:
  author: prowler-cloud
  version: "1.0"
  scope: [root, sdk]
  auto_invoke: "Reviewing compliance framework PRs"
allowed-tools: Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task
---

## When to Use

- Reviewing PRs that add new compliance frameworks
- Reviewing PRs that modify existing compliance frameworks
- Validating compliance framework JSON structure before merge

---

## Review Checklist (Critical)

| Check | Command/Method | Pass Criteria |
|-------|----------------|---------------|
| JSON Valid | `python3 -m json.tool file.json` | No syntax errors |
| All Checks Exist | Run validation script | 0 missing checks |
| No Duplicate IDs | Run validation script | 0 duplicate requirement IDs |
| CHANGELOG Entry | Manual review | Present under correct version |
| Dashboard File | Compare with existing | Follows established pattern |
| Framework Metadata | Manual review | All required fields populated |

---

## Commands

```bash
# 1. Validate JSON syntax
python3 -m json.tool prowler/compliance/{provider}/{framework}.json > /dev/null \
  && echo "Valid JSON" || echo "INVALID JSON"

# 2. Run full validation script
python3 skills/prowler-compliance-review/assets/validate_compliance.py \
  prowler/compliance/{provider}/{framework}.json

# 3. Compare dashboard with existing (find similar framework)
diff dashboard/compliance/{new_framework}.py \
     dashboard/compliance/{existing_framework}.py
```

---

## Decision Tree

```
JSON Valid?
├── No → FAIL: Fix JSON syntax errors
└── Yes ↓
    All Checks Exist in Codebase?
    ├── Missing checks → FAIL: Add missing checks or remove from framework
    └── All exist ↓
        Duplicate Requirement IDs?
        ├── Yes → FAIL: Fix duplicate IDs
        └── No ↓
            CHANGELOG Entry Present?
            ├── No → REQUEST CHANGES: Add CHANGELOG entry
            └── Yes ↓
                Dashboard File Follows Pattern?
                ├── No → REQUEST CHANGES: Fix dashboard pattern
                └── Yes ↓
                    Framework Metadata Complete?
                    ├── No → REQUEST CHANGES: Add missing metadata
                    └── Yes → APPROVE
```

---

## Framework Structure Reference

Compliance frameworks are JSON files in: `prowler/compliance/{provider}/{framework}.json`

```json
{
  "Framework": "CIS",
  "Name": "CIS Provider Benchmark vX.Y.Z",
  "Version": "X.Y",
  "Provider": "AWS|Azure|GCP|...",
  "Description": "Framework description...",
  "Requirements": [
    {
      "Id": "1.1",
      "Description": "Requirement description",
      "Checks": ["check_name_1", "check_name_2"],
      "Attributes": [
        {
          "Section": "1 Section Name",
          "SubSection": "1.1 Subsection (optional)",
          "Profile": "Level 1|Level 2",
          "AssessmentStatus": "Automated|Manual",
          "Description": "...",
          "RationaleStatement": "...",
          "ImpactStatement": "...",
          "RemediationProcedure": "...",
          "AuditProcedure": "...",
          "AdditionalInformation": "...",
          "References": "...",
          "DefaultValue": "..."
        }
      ]
    }
  ]
}
```

---

## Common Issues

| Issue | How to Detect | Resolution |
|-------|---------------|------------|
| Missing checks | Validation script reports missing | Add check implementation or remove from Checks array |
| Duplicate IDs | Validation script reports duplicates | Ensure each requirement has unique ID |
| Empty Checks for Automated | AssessmentStatus is Automated but Checks is empty | Add checks or change to Manual |
| Wrong file location | Framework not in `prowler/compliance/{provider}/` | Move to correct directory |
| Missing dashboard file | No corresponding `dashboard/compliance/{framework}.py` | Create dashboard file following pattern |
| CHANGELOG missing | Not under correct version section | Add entry to prowler/CHANGELOG.md |

---

## Dashboard File Pattern

Dashboard files must be in `dashboard/compliance/` and follow this exact pattern:

```python
import warnings

from dashboard.common_methods import get_section_containers_cis

warnings.filterwarnings("ignore")


def get_table(data):

    aux = data[
        [
            "REQUIREMENTS_ID",
            "REQUIREMENTS_DESCRIPTION",
            "REQUIREMENTS_ATTRIBUTES_SECTION",
            "CHECKID",
            "STATUS",
            "REGION",
            "ACCOUNTID",
            "RESOURCEID",
        ]
    ].copy()

    return get_section_containers_cis(
        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
    )
```

---

## Testing the Compliance Framework

After validation passes, test the framework with Prowler:

```bash
# Verify framework is detected
poetry run python prowler-cli.py {provider} --list-compliance | grep {framework}

# Run a quick test with a single check from the framework
poetry run python prowler-cli.py {provider} --compliance {framework} --check {check_name}

# Run full compliance scan (dry-run with limited checks)
poetry run python prowler-cli.py {provider} --compliance {framework} --checks-limit 5

# Generate compliance report in multiple formats
poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html
```

---

## Resources

- **Validation Script**: See [assets/validate_compliance.py](assets/validate_compliance.py)
- **Related Skills**: See [prowler-compliance](../prowler-compliance/SKILL.md) for creating frameworks
- **Documentation**: See [references/review-checklist.md](references/review-checklist.md)

Overview

This skill reviews Pull Requests that add or modify compliance frameworks for Prowler. It automates the review workflow by validating JSON structure, checking references to implemented checks, ensuring unique IDs, and confirming ancillary files like CHANGELOG and dashboard entries. The goal is to produce clear PASS / FAIL / REQUEST CHANGES outcomes for maintainers and contributors.

How this skill works

When triggered on PRs that touch prowler/compliance/, the skill runs JSON syntax validation and a dedicated validation script to detect missing checks and duplicate requirement IDs. It then verifies the presence and format of a corresponding dashboard file, checks for a CHANGELOG entry under the correct version, and confirms framework metadata and assessment-status consistency. Finally it outputs a decision according to the decision tree: approve, request changes, or fail with concrete remediation steps.

When to use it

  • Review PRs that add new compliance frameworks (CIS/NIST/PCI-DSS, etc.).
  • Review PRs that modify existing framework JSON files under prowler/compliance/{provider}/.
  • Validate compliance JSON structure and attributes before merge.
  • Check that listed Checks map to implemented check functions in the codebase.
  • Verify dashboard and CHANGELOG updates accompany framework changes.

Best practices

  • Run python3 -m json.tool on the JSON file first to catch syntax errors quickly.
  • Execute the provided validate_compliance.py script to detect missing checks and duplicate IDs.
  • Ensure AssessmentStatus matches the presence of Checks: Automated must have checks, otherwise use Manual.
  • Add or update a CHANGELOG entry under the correct version before requesting approval.
  • Create or update dashboard/compliance/{framework}.py following the exact pattern to avoid UI regressions.

Example use cases

  • A contributor opens a PR adding CIS benchmark JSON for a new provider — validate JSON, run the script, and ensure dashboard/CHANGELOG are present.
  • A PR modifies requirement IDs — detect duplicates and request fixes before merge.
  • A framework lists checks that aren’t implemented — fail the PR and point to missing check names.
  • Quick smoke test: confirm framework appears in prowler-cli --list-compliance and run a single-check scan with --check to validate runtime behavior.

FAQ

What causes an immediate FAIL?

Invalid JSON syntax, missing referenced checks in the codebase, or duplicate requirement IDs cause an immediate FAIL.

When do I REQUEST CHANGES instead of FAIL?

Request changes for missing CHANGELOG entries, dashboard files that don’t follow the pattern, or incomplete framework metadata—these are remediable without code changes.

How do I quickly validate a framework locally?

Use python3 -m json.tool for syntax, run the validate_compliance.py script, then run prowler-cli with --list-compliance and a single --check test.