prowler-compliance-review

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

When to Use

使用场景

Reviewing PRs that add new compliance frameworks
Reviewing PRs that modify existing compliance frameworks
Validating compliance framework JSON structure before merge

审核新增合规框架的PR
审核修改现有合规框架的PR
合并前验证合规框架JSON结构

Review Checklist (Critical)

审核检查清单（关键项）

Check	Command/Method	Pass Criteria
JSON Valid	`python3 -m json.tool file.json`	No syntax errors
All Checks Exist	Run validation script	0 missing checks
No Duplicate IDs	Run validation script	0 duplicate requirement IDs
CHANGELOG Entry	Manual review	Present under correct version
Dashboard File	Compare with existing	Follows established pattern
Framework Metadata	Manual review	All required fields populated

检查项	命令/方法	通过标准
JSON格式有效	`python3 -m json.tool file.json`	无语法错误
所有检查项存在	运行验证脚本	0项缺失检查
无重复ID	运行验证脚本	0项重复需求ID
CHANGELOG条目	人工审核	在对应版本下存在
仪表盘文件	与现有文件对比	遵循既定规范
框架元数据	人工审核	所有必填字段已填充

Commands

命令

bash

undefined

bash

undefined

1. Validate JSON syntax

1. 验证JSON语法

python3 -m json.tool prowler/compliance/{provider}/{framework}.json > /dev/null
&& echo "Valid JSON" || echo "INVALID JSON"

2. Run full validation script

2. 运行完整验证脚本

python3 skills/prowler-compliance-review/assets/validate_compliance.py
prowler/compliance/{provider}/{framework}.json

3. Compare dashboard with existing (find similar framework)

3. 对比仪表盘与现有文件（找到同类框架）

diff dashboard/compliance/{new_framework}.py
dashboard/compliance/{existing_framework}.py

---

diff dashboard/compliance/{new_framework}.py
dashboard/compliance/{existing_framework}.py

---

Decision Tree

决策树

JSON Valid?
├── No → FAIL: Fix JSON syntax errors
└── Yes ↓
    All Checks Exist in Codebase?
    ├── Missing checks → FAIL: Add missing checks or remove from framework
    └── All exist ↓
        Duplicate Requirement IDs?
        ├── Yes → FAIL: Fix duplicate IDs
        └── No ↓
            CHANGELOG Entry Present?
            ├── No → REQUEST CHANGES: Add CHANGELOG entry
            └── Yes ↓
                Dashboard File Follows Pattern?
                ├── No → REQUEST CHANGES: Fix dashboard pattern
                └── Yes ↓
                    Framework Metadata Complete?
                    ├── No → REQUEST CHANGES: Add missing metadata
                    └── Yes → APPROVE

JSON格式有效?
├── 否 → 不通过：修复JSON语法错误
└── 是 ↓
    代码库中存在所有检查项?
    ├── 存在缺失检查项 → 不通过：添加缺失检查项或从框架中移除
    └── 全部存在 ↓
        存在重复需求ID?
        ├── 是 → 不通过：修复重复ID
        └── 否 ↓
            CHANGELOG条目存在?
            ├── 否 → 请求变更：添加CHANGELOG条目
            └── 是 ↓
                仪表盘文件遵循规范?
                ├── 否 → 请求变更：修复仪表盘规范
                └── 是 ↓
                    框架元数据完整?
                    ├── 否 → 请求变更：补充缺失元数据
                    └── 是 → 审核通过

Framework Structure Reference

合规框架结构参考

Compliance frameworks are JSON files in:

prowler/compliance/{provider}/{framework}.json

json

{
  "Framework": "CIS",
  "Name": "CIS Provider Benchmark vX.Y.Z",
  "Version": "X.Y",
  "Provider": "AWS|Azure|GCP|...",
  "Description": "Framework description...",
  "Requirements": [
    {
      "Id": "1.1",
      "Description": "Requirement description",
      "Checks": ["check_name_1", "check_name_2"],
      "Attributes": [
        {
          "Section": "1 Section Name",
          "SubSection": "1.1 Subsection (optional)",
          "Profile": "Level 1|Level 2",
          "AssessmentStatus": "Automated|Manual",
          "Description": "...",
          "RationaleStatement": "...",
          "ImpactStatement": "...",
          "RemediationProcedure": "...",
          "AuditProcedure": "...",
          "AdditionalInformation": "...",
          "References": "...",
          "DefaultValue": "..."
        }
      ]
    }
  ]
}

合规框架为JSON文件，存储路径：

prowler/compliance/{provider}/{framework}.json

json

{
  "Framework": "CIS",
  "Name": "CIS Provider Benchmark vX.Y.Z",
  "Version": "X.Y",
  "Provider": "AWS|Azure|GCP|...",
  "Description": "Framework description...",
  "Requirements": [
    {
      "Id": "1.1",
      "Description": "Requirement description",
      "Checks": ["check_name_1", "check_name_2"],
      "Attributes": [
        {
          "Section": "1 Section Name",
          "SubSection": "1.1 Subsection (optional)",
          "Profile": "Level 1|Level 2",
          "AssessmentStatus": "Automated|Manual",
          "Description": "...",
          "RationaleStatement": "...",
          "ImpactStatement": "...",
          "RemediationProcedure": "...",
          "AuditProcedure": "...",
          "AdditionalInformation": "...",
          "References": "...",
          "DefaultValue": "..."
        }
      ]
    }
  ]
}

Common Issues

常见问题

Issue	How to Detect	Resolution
Missing checks	Validation script reports missing	Add check implementation or remove from Checks array
Duplicate IDs	Validation script reports duplicates	Ensure each requirement has unique ID
Empty Checks for Automated	AssessmentStatus is Automated but Checks is empty	Add checks or change to Manual
Wrong file location	Framework not in `prowler/compliance/{provider}/`	Move to correct directory
Missing dashboard file	No corresponding `dashboard/compliance/{framework}.py`	Create dashboard file following pattern
CHANGELOG missing	Not under correct version section	Add entry to prowler/CHANGELOG.md

问题	检测方式	解决方法
检查项缺失	验证脚本报告缺失	添加检查项实现或从Checks数组中移除
ID重复	验证脚本报告重复	确保每个需求ID唯一
自动化检查项为空	AssessmentStatus为Automated但Checks为空	添加检查项或改为Manual
文件路径错误	框架文件不在 `prowler/compliance/{provider}/` 目录下	移动至正确目录
仪表盘文件缺失	无对应 `dashboard/compliance/{framework}.py` 文件	遵循规范创建仪表盘文件
CHANGELOG缺失	未在对应版本章节下	向prowler/CHANGELOG.md添加条目

Dashboard File Pattern

仪表盘文件规范

Dashboard files must be in

dashboard/compliance/

and follow this exact pattern:

python

import warnings

from dashboard.common_methods import get_section_containers_cis

warnings.filterwarnings("ignore")


def get_table(data):

    aux = data[
        [
            "REQUIREMENTS_ID",
            "REQUIREMENTS_DESCRIPTION",
            "REQUIREMENTS_ATTRIBUTES_SECTION",
            "CHECKID",
            "STATUS",
            "REGION",
            "ACCOUNTID",
            "RESOURCEID",
        ]
    ].copy()

    return get_section_containers_cis(
        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
    )

仪表盘文件必须存储在

dashboard/compliance/

目录下，并严格遵循以下格式：

python

import warnings

from dashboard.common_methods import get_section_containers_cis

warnings.filterwarnings("ignore")


def get_table(data):

    aux = data[
        [
            "REQUIREMENTS_ID",
            "REQUIREMENTS_DESCRIPTION",
            "REQUIREMENTS_ATTRIBUTES_SECTION",
            "CHECKID",
            "STATUS",
            "REGION",
            "ACCOUNTID",
            "RESOURCEID",
        ]
    ].copy()

    return get_section_containers_cis(
        aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
    )

Testing the Compliance Framework

合规框架测试

After validation passes, test the framework with Prowler:

bash

undefined

验证通过后，使用Prowler测试框架：

bash

undefined

Verify framework is detected

验证框架可被识别

poetry run python prowler-cli.py {provider} --list-compliance | grep {framework}

Run a quick test with a single check from the framework

运行框架中单个检查项的快速测试

poetry run python prowler-cli.py {provider} --compliance {framework} --check {check_name}

Run full compliance scan (dry-run with limited checks)

运行完整合规扫描（使用有限检查项进行试运行）

poetry run python prowler-cli.py {provider} --compliance {framework} --checks-limit 5

Generate compliance report in multiple formats

生成多种格式的合规报告

poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html

---

poetry run python prowler-cli.py {provider} --compliance {framework} -M csv json html

---

Resources

参考资源

Validation Script: See assets/validate_compliance.py
Related Skills: See prowler-compliance for creating frameworks
Documentation: See references/review-checklist.md

验证脚本：查看 assets/validate_compliance.py
相关技能：查看 prowler-compliance 了解框架创建方法
文档：查看 references/review-checklist.md