{"id":30178294,"url":"https://github.com/panther-labs/panther_analysis_tool","last_synced_at":"2026-03-16T18:05:33.580Z","repository":{"id":37052028,"uuid":"248343610","full_name":"panther-labs/panther_analysis_tool","owner":"panther-labs","description":"Command line tool for working with Panther rules and policies","archived":false,"fork":false,"pushed_at":"2025-08-06T14:20:44.000Z","size":1739,"stargazers_count":40,"open_issues_count":4,"forks_count":27,"subscribers_count":23,"default_branch":"main","last_synced_at":"2025-08-06T16:27:28.863Z","etag":null,"topics":["python","security"],"latest_commit_sha":null,"homepage":"https://panther.com/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/panther-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-03-18T21:09:44.000Z","updated_at":"2025-07-30T15:32:21.000Z","dependencies_parsed_at":"2024-03-07T21:33:34.513Z","dependency_job_id":"47988b1a-6221-4818-ba4e-cb8c9884fe8c","html_url":"https://github.com/panther-labs/panther_analysis_tool","commit_stats":{"total_commits":209,"total_committers":39,"mean_commits":5.358974358974359,"dds":0.8229665071770335,"last_synced_commit":"c7e82806bb1d41109f46eb4e91715269315c2f3f"},"previous_names":[],"tags_count":140,"template":false,"template_full_name":null,"purl":"pkg:github/panther-labs/panther_analysis_tool","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther_analysis_tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther_analysis_tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther_analysis_tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther_analysis_tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/panther-labs","download_url":"https://codeload.github.com/panther-labs/panther_analysis_tool/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/panther-labs%2Fpanther_analysis_tool/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270005591,"owners_count":24510939,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-12T02:00:09.011Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["python","security"],"created_at":"2025-08-12T05:20:05.599Z","updated_at":"2026-03-16T18:05:33.574Z","avatar_url":"https://github.com/panther-labs.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Panther Analysis Tool\n\n[Panther Analysis Tool](https://github.com/panther-labs/panther_analysis_tool)\nis a Python application for testing, packaging, and deploying Panther\nDetections.\n\nFor further details, see [Quick Start](https://docs.panther.com/quick-start) and\n[Panther Documentation](https://docs.panther.com/).\n\n## Installation\n\n### Prerequisites\n\n- **Python 3.11**: Install Python using one of the following methods:\n  - The download links on the [official release page](https://www.python.org/downloads/release/python-3119/)\n  - Using [Homebrew](https://brew.sh/), by running `brew install python@3.11`\n  - Using [pyenv](https://github.com/pyenv/pyenv) to manage Python versions\n  - Using [uv](https://docs.astral.sh/uv/) to manage Python versions: `uv python install 3.11`\n- **Pipenv**: To install [Pipenv](https://pipenv.pypa.io/en/latest/), run `pip install --user pipenv`\n\n### From PyPi\n\nUse pip to install\n[panther_analysis_tool package](https://pypi.org/project/panther-analysis-tool/)\nfrom PyPi:\n\n```shell\npip3 install panther_analysis_tool\n```\n\nOr with `uv`:\n\n```shell\nuv add panther_analysis_tool\n```\n\nOr without a virtual environment:\n\n```shell\nmake deps\npip3 install -e .\n```\n\n### From source\n\n```shell\nmake install\npipenv run -- pip3 install -e .\n```\n\n## Usage\n\n### Help\n\nShow available commands and their options:\n\n```bash\n$ panther_analysis_tool -h\nusage: panther_analysis_tool [-h] [--version] [--debug] [--skip-version-check] {release,test,publish,upload,delete,update-custom-schemas,test-lookup-table,validate,zip,check-connection,benchmark,enrich-test-data} ...\n\nPanther Analysis Tool: A command line tool for managing Panther policies and rules.\n\npositional arguments:\n  {release,test,publish,upload,delete,update-custom-schemas,test-lookup-table,validate,zip,check-connection,benchmark,enrich-test-data}\n    release             Create release assets for repository containing panther detections. Generates a file called panther-analysis-all.zip and optionally generates panther-analysis-all.sig\n    test                Validate analysis specifications and run policy and rule tests.\n    debug               Run a single rule test in a debug environment, which allows you to see print statements and use breakpoints.\n    publish             Publishes a new release, generates the release assets, and uploads them. Generates a file called panther-analysis-all.zip and optionally generates panther-analysis-all.sig\n    upload              Upload specified policies and rules to a Panther deployment.\n    delete              Delete policies, rules, or saved queries from a Panther deployment\n    update-custom-schemas\n                        Update or create custom schemas on a Panther deployment.\n    test-lookup-table   Validate a Lookup Table spec file.\n    validate            Validate your bulk uploads against your panther instance\n    zip                 Create an archive of local policies and rules for uploading to Panther.\n    check-connection    Check your Panther API connection\n    benchmark           Performance test one rule against one of its log types. The rule must be the only item in the working directory or specified by --path, --ignore-files, and --filter. This feature is an extension\n                        of Data Replay and is subject to the same limitations.\n    enrich-test-data    Enrich test data with additional enrichments from the Panther API.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --version             show program's version number and exit\n  --debug\n  --skip-version-check\n```\n\n### Test\n\nRun tests for a given path:\n\n```bash\n$ panther_analysis_tool test --path tests/fixtures/valid_policies/\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies/\n\nAWS.IAM.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n```\n\nRun a specific unit test of a rule:\n\n```bash\n$ panther_analysis_tool test --filter RuleID=AWS.IAM.AccessKeyCompromised --test-names \"An AWS Access Key was Uploaded to Github\"\n[INFO]: Testing analysis items in .\n\nAWS.IAM.AccessKeyCompromised\n        [PASS] An AWS Access Key was Uploaded to Github\n```\n\nRun specific unit tests of a rule:\n\n```bash\n$ panther_analysis_tool test --filter RuleID=AWS.CloudTrail.Stopped --test-names \"CloudTrail Was Stopped\" \"Error Stopping CloudTrail\"\n[INFO]: Testing analysis items in .\n\n        [PASS] CloudTrail Was Stopped\n        ...\n        [PASS] Error Stopping CloudTrail\n                [PASS] [rule] false\n```\n\n### Debug\n\nRun a specific unit test in debug mode:\n\n```bash\npanther_analysis_tool debug My.RuleID \"My unit test name\"\n```\n\nSee print statements like\n\n```bash\nINFO: Testing analysis items in /panther-analysis/rules/debug\nDebug.RuleThatPrints\nHello world!\n```\n\nOr see your errors with traceback info:\n\n```bash\nINFO: Testing analysis items in /panther-analysis/rules/debug\nDebug.RuleWithError\nERROR: Test exception for debug tracing\n  File \"/panther-analysis/rules/debug/rule_with_error.py\", line 4, in rule\n    sub_func()\n  File \"/panther-analysis/rules/debug/rule_with_error.py\", line 7, in sub_func\n    raise ValueError('Test exception for debug tracing')\n```\n\n\n### Upload\n\nCreate packages to upload through the Panther UI:\n\n```bash\n$ panther_analysis_tool zip --path tests/fixtures/valid_policies/ --out tmp\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies/\n\nAWS.IAM.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n\n[INFO]: Zipping analysis packs in tests/fixtures/valid_policies/ to tmp\n[INFO]: \u003ccurrent working directory\u003e/tmp/panther-analysis-2020-03-23T12-48-18.zip\n```\n\nOr upload packages directly into Panther:\n\n```bash\n$ panther_analysis_tool upload --path tests/fixtures/valid_policies/ --out tmp\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies/\n\nAWS.IAM.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n\nAWS.IAM.BetaTest\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n\nAWS.CloudTrail.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n\n[INFO]: Zipping analysis packs in tests/fixtures/valid_policies/ to tmp\n[INFO]: Found credentials in environment variables.\n[INFO]: Uploading pack to Panther\n[INFO]: Upload success.\n[INFO]: API Response:\n{\n  \"modifiedPolicies\": 0,\n  \"modifiedRules\": 0,\n  \"newPolicies\": 2,\n  \"newRules\": 1,\n  \"totalPolicies\": 2,\n  \"totalRules\": 1\n}\n```\n\n### Filtering\n\nThe `test`, `zip`, and `upload` commands all support filtering. Filtering works\nby passing the `--filter` argument with a list of filters specified in the\nformat `KEY=VALUE1,VALUE2`. The keys can be any valid field in a policy or rule.\nWhen using a filter, only anaylsis that matches each filter specified will be\nconsidered. For example, the following command will test only items with the\nAnalysisType as `policy` AND severity as `High`:\n\n```bash\n$ panther_analysis_tool test --path tests/fixtures/valid_policies --filter AnalysisType=policy Severity=High\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies\n\nAWS.IAM.BetaTest\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n```\n\nAlternately, the following command will test items with the AnalysisType\n`policy` OR `rule`, AND the severity `High`:\n\n```bash\n$ panther_analysis_tool test --path tests/fixtures/valid_policies --filter AnalysisType=policy,rule Severity=High\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies\n\nAWS.IAM.BetaTest\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n\nAWS.CloudTrail.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n```\n\nWhen writing policies or rules that refer to the global analysis types, include\nthem in the filter. An empty string as a filter value means the filter applies\nonly if the field exists. The following command returns an error: the policy\nimports a global, but the global lacks a severity and thus is excluded by the\nfilter.\n\n```bash\n$ panther_analysis_tool test --path tests/fixtures/valid_policies --filter AnalysisType=policy,global Severity=Critical\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies\n\nAWS.IAM.MFAEnabled\n    [ERROR] Error loading module, skipping\n\nInvalid: tests/fixtures/valid_policies/example_policy.yml\n    No module named 'panther'\n\n[ERROR]: [('tests/fixtures/valid_policies/example_policy.yml', ModuleNotFoundError(\"No module named 'panther'\"))]\n```\n\nFor this query to work, allow for the abscence of the severity field:\n\n```bash\n$ panther_analysis_tool test --path tests/fixtures/valid_policies --filter AnalysisType=policy,global Severity=Critical,\"\"\n[INFO]: Testing analysis packs in tests/fixtures/valid_policies\n\nAWS.IAM.MFAEnabled\n    [PASS] Root MFA not enabled fails compliance\n    [PASS] User MFA not enabled fails compliance\n```\n\nFilters work for the `zip` and `upload` commands in the exact same way they work\nfor the `test` command.\n\nIn addition to filtering, setting a minimum number of unit tests is possible\nwith the --minimum-tests flag. Detections lacking the minimum number of tests\nare considered failing. If `--minimum-tests` is set to 2 or greater, the\nrequirement becomes that at least one test must return `True` and another must\nreturn `False`.\n\n```\n$ panther_analysis_tool test --path tests/fixtures/valid_policies --minimum-tests 2\n% panther_analysis_tool test --path okta_rules --minimum-tests 2\n[INFO]: Testing analysis packs in okta_rules\n\nOkta.AdminRoleAssigned\n    [PASS] Admin Access Assigned\n\nOkta.BruteForceLogins\n    [PASS] Failed login\n\nOkta.GeographicallyImprobableAccess\n    [PASS] Non Login\n    [PASS] Failed Login\n\n--------------------------\nPanther CLI Test Summary\n    Path: okta_rules\n    Passed: 0\n    Failed: 3\n    Invalid: 0\n\n--------------------------\nFailed Tests Summary\n    Okta.AdminRoleAssigned\n         ['Insufficient test coverage, 2 tests required but only 1 found.', 'Insufficient test coverage: expected at least one passing and one failing test.']\n\n    Okta.BruteForceLogins\n        ['Insufficient test coverage, 2 tests required but only 1 found.', 'Insufficient test coverage: expected at least one passing and one failing test]\n\n    Okta.GeographicallyImprobableAccess\n        ['Insufficient test coverage: expected at least one passing and one failing test.']\n```\n\nIn this case, even though the rules passed all their tests, they are still\nconsidered failing because they do not have the correct test coverage.\n\n### Delete Rules, Policies, or Saved Queries\n\n```bash\n$ panther_analysis_tool delete\n\nusage: panther_analysis_tool delete [-h] [--no-confirm] [--athena-datalake] [--api-token API_TOKEN] [--api-host API_HOST] [--aws-profile AWS_PROFILE] [--analysis-id ANALYSIS_ID [ANALYSIS_ID ...]]\n                                    [--query-id QUERY_ID [QUERY_ID ...]]\n\nDelete policies, rules, or saved queries from a Panther deployment\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --no-confirm          Skip manual confirmation of deletion (default: False)\n  --athena-datalake     Instance DataLake is backed by Athena (default: False)\n  --api-token API_TOKEN\n                        The Panther API token to use. See: https://docs.panther.com/api-beta (default: None)\n  --api-host API_HOST   The Panther API host to use. See: https://docs.panther.com/api-beta (default: None)\n  --aws-profile AWS_PROFILE\n                        The AWS profile to use when updating the AWS Panther deployment. (default: None)\n  --analysis-id ANALYSIS_ID [ANALYSIS_ID ...]\n                        Space separated list of Detection IDs (default: [])\n  --query-id QUERY_ID [QUERY_ID ...]\n                        Space separated list of Saved Queries (default: [])\n```\n\nPass a space-separated list of Analysis IDs (RuleID or PolicyID) or QueryIDs.\nUse the --no-confirm flag to bypass confirmation prompts. Rules and their\nassociated saved queries will be matched and deleted. The default configuration\ntargets a Snowflake datalake; for an Athena datalake, use the --athena-datalake\nflag.\n\n## Configuration File\n\nPanther Analysis Tool will also read options from a configuration file\n`.panther_settings.yml` in the current working directory. An example\nconfiguration file is included in this repo,\n[example_panther_config.yml](example_panther_config.yml), that contains example\nsyntax for supported options.\n\nOptions in the configuration file take precedence over command-line options. For\ninstance, if minimum_tests: 2 is set in the configuration file and\n--minimum-tests 1 is specified on the command line, the minimum number of tests\nwill be 2.\n\n## Contributing\n\nAll contributions are welcome. Prior to submitting pull requests, consult the\n[contributing guidelines](https://github.com/panther-labs/panther-analysis/blob/master/CONTRIBUTING.md).\nFor steps to open a pull request from a fork, refer to\n[GitHub's guide](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request).\n\n### Local Development\n\nTo develop with the panther_analysis_tool locally, prepare two repositories:\nthis one and another containing the panther analysis content for PAT testing.\n\nFrom your [panther_analysis](https://github.com/panther-labs/panther-analysis)\ncontent repository, install as editable (and test, for example):\n\n```bash\npipenv install --editable ../relative/path/to/panther_analysis_tool\npipenv run panther_analysis_tool test\n```\n\n## License\n\nThis repository is licensed under the AGPL-3.0\n[license](https://github.com/panther-labs/panther-analysis/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanther-labs%2Fpanther_analysis_tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpanther-labs%2Fpanther_analysis_tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpanther-labs%2Fpanther_analysis_tool/lists"}