Skyscanner · jsoucheiron · Apr 29, 2025 · Feb 26, 2025 · Mar 3, 2025 · Mar 3, 2025
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,78 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: "00 7 * * 1" # “At 07:00 on Monday.”
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ python ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
+          token: ${{ steps.app-token.outputs.token }}
+          upload: never
+
+      # Workaround for parallel GitHub bugs
+      # * Can't use GHA token with IP allowlisting
+      #   https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list
+      # * Can't use codeql-action/analyze with custom token
+      #   https://support.github.com/ticket/enterprise/3427/3214517
+      - name: Prepare for CodeQL Upload
+        run: |
+          echo '{"commit_sha": "${{ github.sha }}", "ref": "${{ github.ref }}"}' > ./codeql-upload.json
+
+      - name: Gzip CodeQL SARIF Result
+        run: |
+          gzip -c ../results/${{ matrix.language }}.sarif | base64 -w0 > codeql-results.sarif.gz.base64
+
+      - name: Staple SARIF result to CodeQL upload
+        run: |
+          jq --rawfile sarif codeql-results.sarif.gz.base64 '.sarif = $sarif' codeql-upload.json > codeql-upload-with-sarif.json
+
+      - name: Upload CodeQL Results
+        run: |
+          curl --fail-with-body \
+            -X POST \
+            -H "Authorization: token ${{ steps.app-token.outputs.token }}" \
+            -H "Accept: application/vnd.github.v3+json" \
+            --data "@codeql-upload-with-sarif.json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.17.1]
+### Updates
+- Solve low-severity warnings for better readability
+
 ## [1.17.0]
 ### Additions
 - Add support for python 3.13

diff --git a/cfripper/model/utils.py b/cfripper/model/utils.py
@@ -101,24 +101,28 @@ def get_aws_service_from_arn(arn: str) -> Optional[str]:
     match = REGEX_ARN.match(arn)
     if match:
         return match.group(1)
+    return None
 
 
 def get_account_id_from_arn(arn: str) -> Optional[str]:
     match = REGEX_ARN.match(arn)
     if match:
         return match.group(3)
+    return None
 
 
 def get_account_id_from_iam_arn(arn: str) -> Optional[str]:
     match = REGEX_IAM_ARN.match(arn)
     if match:
         return match.group(1)
+    return None
 
 
 def get_account_id_from_sts_arn(arn: str) -> Optional[str]:
     match = REGEX_STS_ARN.match(arn)
     if match:
         return match.group(1)
+    return None
 
 
 def get_account_id_from_principal(principal: str) -> Optional[str]:

diff --git a/tests/config/test_config.py b/tests/config/test_config.py
@@ -42,7 +42,8 @@ def test_init_with_existent_params():
 def test_load_rules_config_file_success(test_files_location):
     mock_rules = ["RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"]
     config = Config(stack_name="test_stack", rules=mock_rules)
-    config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"))
+    with open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py") as f:
+        config.load_rules_config_file(f)
     config.add_filters_from_dir(f"{test_files_location}/filters")
     rule_config = config.get_rule_config("CrossAccountTrustRule")
     filters = config.get_rule_filters("CrossAccountTrustRule")
@@ -56,15 +57,17 @@ def test_load_rules_config_file_no_file(test_files_location):
     config = Config(stack_name="test_stack", rules=mock_rules)
 
     with pytest.raises(FileNotFoundError):
-        config.load_rules_config_file(open(f"{test_files_location}/config/non_existing_file.py"))
+        with open(f"{test_files_location}/config/non_existing_file.py") as f:
+            config.load_rules_config_file(f)
 
 
 def test_load_rules_config_file_invalid_file(test_files_location):
     mock_rules = ["RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"]
     config = Config(stack_name="test_stack", rules=mock_rules)
 
     with pytest.raises(ValidationError):
-        config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_invalid.py"))
+        with open(f"{test_files_location}/config/rules_config_invalid.py") as f:
+            config.load_rules_config_file(f)
 
 
 def test_load_filters_work_with_several_rules(template_two_roles_dict, test_files_location):
@@ -73,7 +76,8 @@ def test_load_filters_work_with_several_rules(template_two_roles_dict, test_file
         aws_account_id="123456789",
         stack_name="mockstack",
     )
-    config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"))
+    with open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py") as f:
+        config.load_rules_config_file(f)
     config.add_filters_from_dir(f"{test_files_location}/filters")
     rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
     processor = RuleProcessor(*rules)

diff --git a/tests/rules/test_CrossAccountTrustRule.py b/tests/rules/test_CrossAccountTrustRule.py
@@ -158,7 +158,8 @@ def test_filter_works_as_expected_with_rules_config_file(
         aws_account_id="123456789",
         stack_name="mockstack",
     )
-    config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"))
+    with open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py") as f:
+        config.load_rules_config_file(f)
     config.add_filters_from_dir(f"{test_files_location}/filters")
     rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
     processor = RuleProcessor(*rules)