fix(sdk): skip strict CheckMetadata validators for external tool providers#10363
Merged
fix(sdk): skip strict CheckMetadata validators for external tool providers#10363
Conversation
- Use "vulnerabilities" (plural) category to match VALID_CATEGORIES - Move Trivy PrimaryURL to AdditionalURLs (Recommendation.Url requires hub.prowler.com prefix) - Update test assertions for new category value
- Truncate Description and Risk to 400 chars max - Truncate CheckTitle to 150 chars max
…iders - Extend EXTERNAL_TOOL_PROVIDERS bypass to CheckTitle, Description, Risk, RelatedUrl, Recommendation URL, and Categories validators - Add tests verifying bypass for external tools and strict enforcement for native providers
Contributor
|
✅ All necessary |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #10363 +/- ##
===========================================
+ Coverage 5.75% 65.99% +60.24%
===========================================
Files 834 94 -740
Lines 23717 6594 -17123
===========================================
+ Hits 1365 4352 +2987
+ Misses 22352 2242 -20110
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Contributor
🔒 Container Security ScanImage: 📊 Vulnerability Summary
3 package(s) affected
|
Member
Author
|
…rovider The validator bypass for external tool providers makes the [:150] and [:400] truncations unnecessary, preserving full Trivy finding data.
jfagoagas
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
PR #8583 added strict validation to
CheckMetadata. External tool providers (image, iac, llm) build metadata dynamically at runtime from tool output (e.g. Trivy, promptfoo), not from curated.metadata.jsonfiles. Several validators now reject valid external tool data (long descriptions, non-hub URLs, custom categories).Description
Extend the existing
EXTERNAL_TOOL_PROVIDERSbypass pattern (already used byServiceName,CheckID, andCheckTypevalidators) to 6 additional validators:hub.prowler.comprefix checkVALID_CATEGORIESwhitelist check (format validation still applies)Native providers (aws, azure, gcp, etc.) continue to receive full strict validation.
Steps to review
prowler/lib/check/models.py— each follows the samevalues.get("Provider") not in EXTERNAL_TOOL_PROVIDERSpatternpytest -xvs tests/lib/check/models_test.py::TestExternalToolProviderValidatorBypassChecklist
Community Checklist
SDK/CLI
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.