Auto-generate cloud provider permissions manifest#6978
Merged
Conversation
Add a Go tool that statically analyzes provider resource source files to extract all cloud API calls and maps them to IAM/RBAC permissions. The tool produces a JSON manifest per provider listing every permission required for a full scan. Integrated into the Makefile build pipeline so manifests are regenerated automatically when providers are built. Also adds `make providers/permissions` as a standalone convenience target. Closes #6977 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Use deterministic timestamp (SOURCE_DATE_EPOCH or git commit time) instead of time.Now() for reproducible builds - Guard against empty resource string in gcpRESTToPermission to prevent index-out-of-range panic - Guard against empty service string in azureServiceToARM - Move AggregatedList check before List check in gcpMethodToPermission to correctly parse methods like AggregatedListInstances - Use filepath.WalkDir to recurse into subdirectories when scanning for Go source files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Output permissions JSON to providers/<name>/resources/ instead of providers/<name>/dist/ so the files are tracked in git and always available to users without requiring a build. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
| // listGoFiles returns all non-test, non-generated .go files in a directory tree. | ||
| func listGoFiles(dir string) []string { | ||
| var files []string | ||
| _ = filepath.WalkDir(dir, func(path string, d os.DirEntry, err error) error { |
There was a problem hiding this comment.
🔵 suggestion — Previous finding still unresolved: _ = filepath.WalkDir(dir, ...) silently swallows errors. If dir doesn't exist or is unreadable, the caller gets an empty slice with no indication of failure. Consider returning ([]string, error) and propagating the WalkDir error, so main() can log a meaningful message instead of producing an empty manifest.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
providers-sdk/v1/util/permissions/permissions.go) that uses Go AST parsing to statically analyze provider resource files and extract every cloud API call, mapping them to IAM/RBAC permissionsbuildProviderandbuildProviderDistMakefile macros so permission manifests are automatically regenerated whenever a provider is builtmake providers/permissionsas a standalone convenience target<provider>.permissions.jsonin each provider'sdist/directoryOutput format
{ "provider": "aws", "version": "13.2.4", "generated_at": "2026-03-18T17:28:20Z", "permissions": ["ec2:DescribeInstances", "s3:ListBuckets", ...], "details": [{"permission": "ec2:DescribeInstances", "service": "ec2", "action": "DescribeInstances", "source_file": "aws_ec2.go"}, ...] }How it works
conn.<Service>(region)variable assignments and their method calls (e.g.,svc.DescribeInstances) + paginator constructors (ec2.NewDescribeInstancesPaginator). Maps SDK method names 1:1 to IAM actions.computeSvc.Regions.List) and gRPC client method calls (client.ListKeyRings). Maps toservice.resource.verbformat.compute.NewVirtualMachinesClient) and their pager/get calls. Maps toMicrosoft.Provider/resourceType/readformat.Closes #6977
Test plan
go vetpasses on the new toolmake providers/permissionsgenerates correct JSON for all 3 providersmake providersbuild works with permissions extraction integrated🤖 Generated with Claude Code
sample generated aws permissions file:
aws.permissions.json