Skip to main content
prowler-compliance-review Reviews Pull Requests that add or modify compliance frameworks.
Trigger: When reviewing PRs with compliance framework changes, CIS/NIST/PCI-DSS additions, or compliance JSON files.
npx skills add prowler-cloud/prowler --skill prowler-compliance-review Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task security security-tools security-audit security-hardening hardening aws
When to Use
Reviewing PRs that add new compliance frameworks
Reviewing PRs that modify existing compliance frameworks
Validating compliance framework JSON structure before merge
Review Checklist (Critical)
Check Command/Method Pass Criteria JSON Valid python3 -m json.tool file.jsonNo syntax errors All Checks Exist Run validation script 0 missing checks No Duplicate IDs Run validation script 0 duplicate requirement IDs Changelog fragment Manual review Fragment present under prowler/changelog.d/ Dashboard File Compare with existing Follows established pattern Framework Metadata
All required fields populated
Commands # 1. Validate JSON syntax
python3 -m json.tool prowler/compliance/{provider}/{framework}.json > /dev/null \
&& echo "Valid JSON" || echo "INVALID JSON"
# 2. Run full validation script
python3 skills/prowler-compliance-review/assets/validate_compliance.py \
prowler/compliance/{provider}/{framework}.json
# 3. Compare dashboard with existing (find similar framework)
diff dashboard/compliance/{new_framework}.py \
dashboard/compliance/{existing_framework}.py
Decision Tree JSON Valid?
├── No → FAIL: Fix JSON syntax errors
└── Yes ↓
All Checks Exist in Codebase?
├── Missing checks → FAIL: Add missing checks or remove from framework
└── All exist ↓
Duplicate Requirement IDs?
├── Yes → FAIL: Fix duplicate IDs
└── No ↓
Changelog Fragment Present?
├── No → REQUEST CHANGES: Add changelog fragment
└── Yes ↓
Dashboard File Follows Pattern?
├── No → REQUEST CHANGES: Fix dashboard pattern
└── Yes ↓
Framework Metadata Complete?
├── No → REQUEST CHANGES: Add missing metadata
└── Yes → APPROVE
Framework Structure Reference Compliance frameworks are JSON files in: prowler/compliance/{provider}/{framework}.json
{
"Framework": "CIS",
"Name": "CIS Provider Benchmark vX.Y.Z",
"Version": "X.Y",
"Provider": "AWS|Azure|GCP|...",
"Description": "Framework description...",
"Requirements": [
{
"Id": "1.1",
"Description": "Requirement description",
"Checks": ["check_name_1", "check_name_2"],
"Attributes": [
{
"Section": "1 Section Name",
"SubSection": "1.1 Subsection (optional)",
"Profile": "Level 1|Level 2",
"AssessmentStatus": "Automated|Manual",
"Description": "...",
"RationaleStatement": "...",
"ImpactStatement": "...",
"RemediationProcedure": "...",
"AuditProcedure": "...",
"AdditionalInformation": "...",
"References": "...",
"DefaultValue": "..."
}
]
}
]
}
Common Issues Issue How to Detect Resolution Missing checks Validation script reports missing Add check implementation or remove from Checks array Duplicate IDs Validation script reports duplicates Ensure each requirement has unique ID Empty Checks for Automated AssessmentStatus is Automated but Checks is empty Add checks or change to Manual Wrong file location Framework not in prowler/compliance/{provider}/ Move to correct directory Missing dashboard file No corresponding dashboard/compliance/{framework}.py Create dashboard file following pattern Changelog fragment missing No fragment file in the PR diff Add a fragment under prowler/changelog.d/
Dashboard File Pattern Dashboard files must be in dashboard/compliance/ and follow this exact pattern:
import warnings
from dashboard.common_methods import get_section_containers_cis
warnings.filterwarnings("ignore")
def get_table(data):
aux = data[
[
"REQUIREMENTS_ID",
"REQUIREMENTS_DESCRIPTION",
"REQUIREMENTS_ATTRIBUTES_SECTION",
"CHECKID",
"STATUS",
"REGION",
"ACCOUNTID",
"RESOURCEID",
]
].copy()
return get_section_containers_cis(
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
)
Testing the Compliance Framework After validation passes, test the framework with Prowler:
# Verify framework is detected
uv run python prowler-cli.py {provider} --list-compliance | grep {framework}
# Run a quick test with a single check from the framework
uv run python prowler-cli.py {provider} --compliance {framework} --check {check_name}
# Run full compliance scan (dry-run with limited checks)
uv run python prowler-cli.py {provider} --compliance {framework} --checks-limit 5
# Generate compliance report in multiple formats
uv run python prowler-cli.py {provider} --compliance {framework} -M csv json html
Resources Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple accounts and message composition with MML (MIME Meta Language).