chore(outputs): raise an error when using -M asff for a provider other than aws (#9225)

2026-01-25 02:08:11 +00:00 · 2025-11-13 16:53:22 +01:00
parent d1380fc19d
commit 866edfb167
6 changed files with 45 additions and 4 deletions
--- a/docs/user-guide/cli/tutorials/reporting.mdx
+++ b/docs/user-guide/cli/tutorials/reporting.mdx
@@ -59,7 +59,7 @@ Prowler natively supports the following reporting output formats:

 - CSV
 - JSON-OCSF
- JSON-ASFF
+- JSON-ASFF (AWS only)
 - HTML

 Hereunder is the structure for each of the supported report formats by Prowler:
@@ -285,10 +285,10 @@ The JSON-OCSF output format implements the [Detection Finding](https://schema.oc
 Each finding is a `json` object within a list.

 </Note>
-### JSON-ASFF
+### JSON-ASFF (AWS Only)

 <Note>
-Only available when using `--security-hub` or `--output-formats json-asff`
+Only available when using `--security-hub` or `--output-formats json-asff` with the AWS provider.

 </Note>
 The following code is an example output of the [JSON-ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-syntax.html) format:
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -51,6 +51,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update oraclecloud cloudguard service metadata to new format [(#9223)](https://github.com/prowler-cloud/prowler/pull/9223)
 - Update oraclecloud blockstorage service metadata to new format [(#9222)](https://github.com/prowler-cloud/prowler/pull/9222)
 - Update oraclecloud audit service metadata to new format [(#9221)](https://github.com/prowler-cloud/prowler/pull/9221)
+- Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)

 ---

--- a/prowler/main.py
+++ b/prowler/main.py
@@ -573,7 +573,6 @@ def prowler():
                generated_outputs["compliance"].append(prowler_threatscore)
                prowler_threatscore.batch_write_data_to_file()
            elif compliance_name.startswith("ccc_"):
-
                filename = (
                    f"{output_options.output_directory}/compliance/"
                    f"{output_options.output_filename}_{compliance_name}.csv"
--- a/prowler/lib/cli/parser.py
+++ b/prowler/lib/cli/parser.py
@@ -15,6 +15,7 @@ from prowler.lib.check.models import Severity
 from prowler.lib.outputs.common import Status
 from prowler.providers.common.arguments import (
    init_providers_parser,
+    validate_asff_usage,
    validate_provider_arguments,
 )

@@ -135,6 +136,12 @@ Detailed documentation at https://docs.prowler.com
        if not valid:
            self.parser.error(f"{args.provider}: {message}")

+        asff_is_valid, asff_error = validate_asff_usage(
+            args.provider, getattr(args, "output_formats", None)
+        )
+        if not asff_is_valid:
+            self.parser.error(asff_error)
+
        return args

    def __set_default_provider__(self, args: list) -> list:
--- a/prowler/providers/common/arguments.py
+++ b/prowler/providers/common/arguments.py
@@ -1,6 +1,7 @@
 import sys
 from argparse import Namespace
 from importlib import import_module
+from typing import Optional, Sequence

 from prowler.lib.logger import logger
 from prowler.providers.common.provider import Provider, providers_path
@@ -53,3 +54,19 @@ def validate_provider_arguments(arguments: Namespace) -> tuple[bool, str]:
            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
        )
        sys.exit(1)
+
+
+def validate_asff_usage(
+    provider: Optional[str], output_formats: Optional[Sequence[str]]
+) -> tuple[bool, str]:
+    """Ensure json-asff output is only requested for the AWS provider."""
+    if not output_formats or "json-asff" not in output_formats:
+        return (True, "")
+
+    if provider == "aws":
+        return (True, "")
+
+    return (
+        False,
+        f"json-asff output format is only available for the aws provider, but {provider} was selected",
+    )
--- a/tests/lib/cli/parser_test.py
+++ b/tests/lib/cli/parser_test.py
@@ -1235,6 +1235,23 @@ class Test_Parser:
            == f"{prowler_default_usage_error}\nprowler: error: unrecognized arguments: --subscription-ids\n"
        )

+    def test_parser_non_aws_with_json_asff_output(self, capsys):
+        command = [
+            prowler_command,
+            "azure",
+            "--sp-env-auth",
+            "--output-formats",
+            "json-asff",
+        ]
+        with pytest.raises(SystemExit) as wrapped_exit:
+            _ = self.parser.parse(command)
+        assert wrapped_exit.type == SystemExit
+        assert wrapped_exit.value.code == 2
+        assert (
+            capsys.readouterr().err
+            == f"{prowler_default_usage_error}\nprowler: error: json-asff output format is only available for the aws provider, but azure was selected\n"
+        )
+
    def test_parser_gcp_auth_credentials_file(self):
        argument = "--credentials-file"
        file = "test.json"