feat(allowlist): add yaml structure validator (#1735)

Co-authored-by: sergargar <sergio@verica.io>
2026-02-10 14:55:00 +00:00 · 2023-01-18 17:49:13 +01:00
parent 776ac9e3d4
commit c921782714
5 changed files with 1707 additions and 1665 deletions
--- a/1
+++ b/1
@@ -9,6 +9,7 @@ boto3 = "1.26.3"
 arnparse = "0.0.2"
 botocore = "1.27.8"
 pydantic = "1.9.1"
+schema = "0.7.5"
 shodan = "1.28.0"
 detect-secrets = "1.4.0"
 alive-progress = "2.4.1"
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/docs/tutorials/allowlist.md
+++ b/docs/tutorials/allowlist.md
@@ -11,7 +11,7 @@ You can use `-w`/`--allowlist-file` with the path of your allowlist yaml file, b
    ### Resources is a list that can have either Regex or Keywords:
    ###########################  ALLOWLIST EXAMPLE  ###########################
    Allowlist:
-    Accounts:
+      Accounts:
        "123456789012":
        Checks:
            "iam_user_hardware_mfa_enabled":
--- a/prowler/providers/aws/lib/allowlist/allowlist.py
+++ b/prowler/providers/aws/lib/allowlist/allowlist.py
@@ -3,9 +3,14 @@ import sys

 import yaml
 from boto3.dynamodb.conditions import Attr
+from schema import Schema

 from prowler.lib.logger import logger

+allowlist_schema = Schema(
+    {"Accounts": {str: {"Checks": {str: {"Regions": list, "Resources": list}}}}}
+)
+

 def parse_allowlist_file(audit_info, allowlist_file):
    try:
@@ -56,9 +61,18 @@ def parse_allowlist_file(audit_info, allowlist_file):
        else:
            with open(allowlist_file) as f:
                allowlist = yaml.safe_load(f)["Allowlist"]
+                try:
+                    allowlist_schema.validate(allowlist)
+                except Exception as error:
+                    logger.critical(
+                        f"{error.__class__.__name__} -- Allowlist YAML is malformed - {error}[{error.__traceback__.tb_lineno}]"
+                    )
+                    sys.exit()
        return allowlist
    except Exception as error:
-        logger.critical(f"{error.__class__.__name__} -- {error}")
+        logger.critical(
+            f"{error.__class__.__name__} -- {error}[{error.__traceback__.tb_lineno}]"
+        )
        sys.exit()


--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,6 +29,7 @@ dependencies = [
  "arnparse ~=0.0.2",
  "botocore ~=1.29.18",
  "pydantic ~=1.9.1",
+  "schema ~=0.7.5",
  "shodan ~=1.28.0",
  "detect-secrets ~=1.4.0",
  "alive-progress ~=2.4.1",