Config Validator Scanner.

class ConfigValidatorScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]


Config Validator Scanner.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 207
_abc_registry = <_weakrefset.WeakSet object>

Flatten Config Validator violations into a dict for each violation.


violations (list) – The Config Validator violations to flatten.



Iterator of Config Validator violations

as a dict per violation.


Output results.

Parameters:all_violations (List[RuleViolation]) – A list of flattened Config Validator violations.

Retrieves the data for scanner.

If iam_policy is not set, it will retrieve all the resources except iam policies.

Parameters:iam_policy (bool) – Retrieve iam policies only if set to true.
Yields:Asset – Config Validator Asset.
Raises:ValueError – if resources have an unexpected type.

Retrieve flattened violations by flattening the config validator violations returned by the config validator client.

If iam_policy is not set, it will retrieve violations from all resources except iam policies.

Parameters:iam_policy (bool) – Retrieve flattened IAM policy violations.
Returns:A list of flattened violations.
Return type:list

Runs the Config Validator Scanner.

Note: Resources and iam policies audit are separated into 2 steps. That’s mainly because there is no good way of identifying from config validator validation whether a violation is an iam policy violation or a resource violation, the resource name for both will be the same and it will be hard for Forseti to retrieve the right resource_data for the corresponding violation types.