Multi-Rule OR Logic Support in Mutelist

[MrCloudSec]

Feature search

• I have searched the existing issues and this feature has not been requested yet or is already in our Public Roadmap

Which component would this feature affect?

Prowler CLI/SDK

Related to specific cloud provider?

All providers

New feature motivation

The current Mutelist implementation only supports AND logic across conditions (Regions AND Tags AND Resources). This prevents users from expressing complex muting scenarios that require OR logic between different rule sets.

Real-world example:
A user needs to:

1. Mute ALL findings in all AWS regions EXCEPT us-east-1 and sa-east-1
2. In us-east-1 and sa-east-1, mute ONLY resources tagged with environment=dev OR environment=stg

Current limitation:
The schema allows only one rule object per check. You cannot have:

Accounts:
  "*":
    Checks:
      "*":  # Rule 1: Mute non-critical regions
        Regions: ["eu-west-1", ...]
        Resources: ["*"]
      "*":  # Rule 2: Mute dev/stg in critical regions - INVALID (duplicate key)
        Regions: ["us-east-1", "sa-east-1"]
        Tags: ["environment=dev|environment=stg"]

The AND-only evaluation logic (mutelist.py:290-296) prevents cross-condition OR scenarios.

Solution Proposed

Add support for multi-rule arrays with an explicit OR operator:

Mutelist:
  Accounts:
    "*":
      Checks:
        "*":
          Rules:  # Array of rule objects
            - Regions: ["af-south-1", "ap-east-1", ...]  # All non-critical regions
              Resources: ["*"]
              Description: "Mute all findings outside critical regions"

            - Regions: ["us-east-1", "sa-east-1"]
              Resources: ["*"]
              Tags: ["environment=dev|environment=stg"]
              Description: "Mute dev/stg in critical regions"

          Operator: "OR"  # Evaluate rules with OR logic

Evaluation logic:

• If Operator: "OR" → Any matching rule mutes the finding
• If Operator: "AND" → All rules must match (default for backward compatibility)
• If Rules is not present → Fall back to current single-rule behavior

Key implementation changes:

1. Update JSON schema in prowler/lib/mutelist/mutelist.py:11-83 with oneOf to support both formats
2. Modify is_muted_in_check() to iterate through Rules array when present
3. Add _evaluate_rule() helper method for individual rule evaluation
4. Update documentation in docs/user-guide/cli/tutorials/mutelist.mdx

Backward compatibility:

• Existing single-rule mutelists continue to work unchanged
• No breaking changes or migrations required

Use case and benefits

This would benefit:

1. Enterprise security teams managing multi-region deployments with different compliance requirements per region
2. Organizations with environment-specific exclusions (dev/staging muted in some regions, prod never muted)
3. Multi-tenant environments needing complex conditional muting based on tags AND regions
4. Compliance teams implementing region-specific security frameworks (e.g., FedRAMP only in US regions)

Example scenarios enabled:

• Mute all Lambda findings in non-production regions, but only mute dev/test Lambdas in production regions
• Mute ECS findings globally except in critical regions where only non-prod workloads are muted
• Apply different muting rules for different AWS accounts within the same scan

Describe alternatives you've considered

Alternative 1: Run multiple scans with different mutelists

• ❌ Requires separate scan executions
• ❌ Manual output merging in reporting pipeline
• ❌ Increased execution time and complexity

Alternative 2: Enumerate all regions explicitly

• ❌ Only solves "mute all except X" scenarios
• ❌ Still cannot express conditional muting within specific regions
• ❌ Requires maintaining long region lists that break when AWS adds new regions

Alternative 3: Multiple mutelist file support

• ✅ Simpler to implement (--mutelist-file with action="append")
• ✅ Organizational flexibility
• ⚠️ No explicit OR operator in schema
• ⚠️ Less intuitive than single-file multi-rule format

Recommendation: Implement multi-rule array (this proposal) in Phase 1, optionally add multiple file support in Phase 2.

Additional context

Related bug discovered:
The DynamoDB mutelist loader (aws/mutelist.py:114-132) overwrites items instead of merging them, which should be fixed as part of this enhancement.

Documentation inconsistency:
The docs state "tags are ORed" but implementation uses AND logic for multiple tag items. OR only works via regex alternation ("env=dev|env=stg") within a single tag string.

Test coverage needed:

• Multi-rule OR logic scenarios
• Multi-rule AND logic scenarios
• Backward compatibility with old format
• Empty Rules array edge cases
• DynamoDB merge behavior after bug fix

[dlouzan]

@jfagoagas @MrCloudSec Since I was notified based on the other issue being closed, if I may add a comment I haven't seen mentioned in the description here: the anchoring of regexes is not obvious, and ideally it's either made clearer, or options are provided in the new syntax to choose different matching strategies.

See the example provided in #5229 (comment) for iam_user_administrator_access_policy.

Thanks!