prowler-compliance-review
BeliebtReviews Pull Requests that add or modify compliance frameworks. Trigger: When reviewing PRs with compliance framework changes, CIS/NIST/PCI-DSS additions, or compliance JSON files.
>
When to Use
- Reviewing PRs that add new compliance frameworks
- Reviewing PRs that modify existing compliance frameworks
- Validating compliance framework JSON structure before merge
Review Checklist (Critical)
| Check | Command/Method | Pass Criteria |
|---|---|---|
| JSON Valid | python3 -m json.tool file.json |
No syntax errors |
| All Checks Exist | Run validation script | 0 missing checks |
| No Duplicate IDs | Run validation script | 0 duplicate requirement IDs |
| CHANGELOG Entry | Manual review | Present under correct version |
| Dashboard File | Compare with existing | Follows established pattern |
| Framework Metadata | Manual review | All required fields populated |
Commands
# 1. Validate JSON syntax
python3 -m json.tool prowler/compliance/{provider}/{framework}.json > /dev/null \
&& echo "Valid JSON" || echo "INVALID JSON"
# 2. Run full validation script
python3 skills/prowler-compliance-review/assets/validate_compliance.py \
prowler/compliance/{provider}/{framework}.json
# 3. Compare dashboard with existing (find similar framework)
diff dashboard/compliance/{new_framework}.py \
dashboard/compliance/{existing_framework}.py
Decision Tree
JSON Valid?
├── No → FAIL: Fix JSON syntax errors
└── Yes ↓
All Checks Exist in Codebase?
├── Missing checks → FAIL: Add missing checks or remove from framework
└── All exist ↓
Duplicate Requirement IDs?
├── Yes → FAIL: Fix duplicate IDs
└── No ↓
CHANGELOG Entry Present?
├── No → REQUEST CHANGES: Add CHANGELOG entry
└── Yes ↓
Dashboard File Follows Pattern?
├── No → REQUEST CHANGES: Fix dashboard pattern
└── Yes ↓
Framework Metadata Complete?
├── No → REQUEST CHANGES: Add missing metadata
└── Yes → APPROVE
Framework Structure Reference
Compliance frameworks are JSON files in: prowler/compliance/{provider}/{framework}.json
{
"Framework": "CIS",
"Name": "CIS Provider Benchmark vX.Y.Z",
"Version": "X.Y",
"Provider": "AWS|Azure|GCP|...",
"Description": "Framework description...",
"Requirements": [
{
"Id": "1.1",
"Description": "Requirement description",
"Checks": ["check_name_1", "check_name_2"],
"Attributes": [
{
"Section": "1 Section Name",
"SubSection": "1.1 Subsection (optional)",
"Profile": "Level 1|Level 2",
"AssessmentStatus": "Automated|Manual",
"Description": "...",
"RationaleStatement": "...",
"ImpactStatement": "...",
"RemediationProcedure": "...",
"AuditProcedure": "...",
"AdditionalInformation": "...",
"References": "...",
"DefaultValue": "..."
}
]
}
]
}
Common Issues
| Issue | How to Detect | Resolution |
|---|---|---|
| Missing checks | Validation script reports missing | Add check implementation or remove from Checks array |
| Duplicate IDs | Validation script reports duplicates | Ensure each requirement has unique ID |
| Empty Checks for Automated | AssessmentStatus is Automated but Checks is empty | Add checks or change to Manual |
| Wrong file location | Framework not in prowler/compliance/{provider}/ |
Move to correct directory |
| Missing dashboard file | No corresponding dashboard/compliance/{framework}.py |
Create dashboard file following pattern |
| CHANGELOG missing | Not under correct version section | Add entry to prowler/CHANGELOG.md |
Dashboard File Pattern
Dashboard files must be in dashboard/compliance/ and follow this exact pattern:
import warnings
from dashboard.common_methods import get_section_containers_cis
warnings.filterwarnings("ignore")
def get_table(data):
aux = data[
[
"REQUIREMENTS_ID",
"REQUIREMENTS_DESCRIPTION",
"REQUIREMENTS_ATTRIBUTES_SECTION",
"CHECKID",
"STATUS",
"REGION",
"ACCOUNTID",
"RESOURCEID",
]
].copy()
return get_section_containers_cis(
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
)
Testing the Compliance Framework
After validation passes, test the framework with Prowler:
# Verify framework is detected
poetry run python prowler-cli.py {provider} --list-compliance | grep {framework}
# Run a quick test with a single check from the framework
poetry run python prowler-cli.py {provider} --compliance {framework} --check {check_name}
# Run full compliance scan (dry-run with limited checks)
poetry run python prowler-cli.py {provider} --compliance {framework} --checks-limit 5
# Generate compliance report in multiple formats
poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html
Resources
- Validation Script: See assets/validate_compliance.py
- Related Skills: See prowler-compliance for creating frameworks
- Documentation: See references/review-checklist.md
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline