Skip to content

[codex] Surface policy parse failures in scenario metadata#47

Merged
InfoSecHack merged 1 commit into
mainfrom
codex/policy-parse-failures-metadata
Jun 4, 2026
Merged

[codex] Surface policy parse failures in scenario metadata#47
InfoSecHack merged 1 commit into
mainfrom
codex/policy-parse-failures-metadata

Conversation

@InfoSecHack

Copy link
Copy Markdown
Owner

Summary

  • Add PipelineResult.policy_parse_failures and deterministic aggregation from per-account AccountData.policy_parse_failures.
  • Emit non-empty policy parse failures into ScenarioMetadata / scenario.json metadata.
  • Preserve collection_failures as a separate metadata field.
  • Add no-AWS focused tests for aggregation, serialization, empty behavior, deterministic ordering, and separation from service collection failures.

Root cause

IAM policy parsers already emitted structured PolicyParseFailure records into AccountData, but the pipeline never aggregated those records into PipelineResult or scenario metadata. A malformed IAM policy could therefore make the graph partial without a scenario-level signal.

Validation

  • python -m pytest -q tests/test_pipeline.py::TestPolicyParseFailureMetadata: 5 passed
  • ./scripts/check.sh: passed
  • ./scripts/test_fast.sh: 1964 passed
  • git diff --check: passed
  • Account/ARN scans: only pre-existing placeholder examples remain in source comments/help
  • Artifact scan: no matches

@InfoSecHack InfoSecHack marked this pull request as ready for review June 4, 2026 20:13
@InfoSecHack InfoSecHack merged commit da6e310 into main Jun 4, 2026
6 checks passed
@InfoSecHack InfoSecHack deleted the codex/policy-parse-failures-metadata branch June 4, 2026 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant