Issue

When attempting to upload rules using the Panther Analysis Tool (PAT) in a CI/CD pipeline, the following error occurs:

Error: {'statusCode': 400, 'headers': {}, 'multiValueHeaders': {}, 'body': '{"issues":[{"path":"vpc_dns_tunneling.yml","errorMessage":"unable to resolve body reference: could not find uploaded item: scheduled_rule_default.py"}]}'}

The referenced files exist in the expected locations and haven't been modified.

Resolution

To resolve this issue and improve the reliability of your rule uploads:

  1. If you are not already performing the uploads using an API token, you might consider switching from using IAM roles to API token usage for authentication with PAT. The latter approach is the preferred authentication method.

  2. Check if you are using the batching mode of PAT (argument --batch in the upload command), which will break the upload into multiple pieces across different batches to reduce the likelihood of connection timeouts during the upload. As a result, it's possible that things that belong together may be spread out across batches, surfacing the above error message during the process.

  3. Ensure you're using the latest version of panther-analysis and the Panther Analysis Tool.

If you continue to experience issues after implementing these changes, please contact Panther support for further assistance.

Cause

This issue occurs due to a combination of factors:

  1. Use of a legacy setup: The error is more likely to occur when using IAM roles for authentication with PAT, which is considered a legacy setup.

  2. Batching mode of Panther Analysis Tool (PAT): When using the argument --batch during an upload, PAT employs a batching mode that breaks the upload into multiple pieces to avoid connection timeouts. This can potentially separate related items across different batches.

By addressing these factors, you can minimize the likelihood of encountering this error in your CI/CD pipeline.