Conversation
…y default policy from scans
…nsic scanner code to exempt some services from root principal check
…ner by default till it runs consistenly and changing workflow to run on pull_request_target
…summary and output as provided in the tool invocation arguments + Removed s3 bucket versioning requirement + data trace checks only have private key and aws access key id checks
…ons + added tests to cover that logic
…on : Not and contains with tests + made the resolution function modular
…being resolved by the custom resolver + removed malformed template checks as cdk should always produced a valid template + added policy resolution tests
…prehensive tests + Fix Fn::Sub literal escaping and parameter resolution + Add shorthand form support (etc.) + Improve Fn::Select bounds checking + Add comprehensive test coverage for guard rules and intrinsic functions
…results + changes in security guardian workflow to parse the junit files + removed test.sh + fix faulty guard rules + added action to consume and publish junit result
… of scfn guard runs
… fields in a policy are targeted for normalization
…it action report GH action looks for file attribute
…tead oif implementing a reversible function => Works for unresolved cfn temapates
… filed + added tests to coer this
…pe being processed
… a PR rather than cehckout action based merge commit
…ecific object inside Properties and only triggers rule when the changes exists + test changes
…ecific object inside Properties and only triggers rule when the changes exists + test changes
Abogical
added
pr-linter/exempt-integ-test
Abogical
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-maintainer-review
| permissions: | ||
| checks: write | ||
| pull-requests: write | ||
| contents: write |
There was a problem hiding this comment.
Why does it need contents: write permissions?
There was a problem hiding this comment.
I think this is something we can remove, will tell this first and see if it's not being used
There was a problem hiding this comment.
Removed the permissions as it's not needed.
Thanks, was a good catch
Merge Queue Status🚫 The pull request has left the queue (rule: This pull request spent 3 hours 16 minutes 43 seconds in the queue, with no time running CI. Required conditions to merge
ReasonPull request #36110 has been dequeued by a HintYou should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@Mergifyio dequeue |
✅ The pull request has been removed from the queue |
kumvprat
added
pr/do-not-merge
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@Mergifyio requeue |
✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically |
Merge Queue Status✅ The pull request has been merged This pull request spent 39 minutes 32 seconds in the queue, including 39 minutes 23 seconds running CI. Required conditions to merge
|
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
3 participants
Issue # (if applicable)
N/A - Enhancement and bug fixes for Security Guardian tool.
Reason for this change
Security guardian is first line of defense for scanning policy, roles and permissions vended by CDK for customers. This GH Action is critical to determine if a PR change is providing secure-by-default policies for any changes introduced in CDK.
The Security Guardian tool needed several critical improvements to function properly:
Fn::Sub,Fn::Select,Fn::Contains, etc.Description of changes
Added template preprocessing pipeline with intrinsic resolution and policy normalization, details can be found below
Major Enhancements:
Fn::Subwith literal escaping,Fn::Selectwith bounds checking,Fn::Contains,Fn::Split,Fn::Cidr,Fn::Base64, and shorthand forms (!Ref,!GetAtt, etc.)Fn::ImportValueand cross-template referencesmikepenz/action-junit-reportfor rich PR feedback ( suggested by cfn-guard here)pull_requestorpull_request_reviewSecurity Rule Expansion:
Describe any new or updated permissions being added
No new IAM permissions required. All changes are to the static analysis tool and GitHub Actions workflow.
Description of how you validated changes
Unit Testing: via
Fn::ImportValueand cross-template referencesChecklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license