Feat/output variables

[rafaelpereyra]

Issue #, if available:
NA
Description of changes:

• Created output variable for PetsiteURL
• Added restriction for AZ based on agent core availability

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[bonclay7]

Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.

You must specify a valid value for Runtime (python3.13). Valid values are ["dotnet6", "dotnet8", "dotnetcore1.0", "dotnetcore2.0", "dotnetcore2.1", "dotnetcore3.1", "go1.x", "java11", "java17", "java21", "java8", "java8.al2", "nodejs", "nodejs10.x", "nodejs12.x", "nodejs14.x", "nodejs16.x", "nodejs18.x", "nodejs20.x", "nodejs4.3", "nodejs4.3-edge", "nodejs6.10", "nodejs8.10", "provided", "provided.al2", "provided.al2023", "python2.7", "python3.10", "python3.11", "python3.12", "python3.6", "python3.7", "python3.8", "python3.9", "ruby2.5", "ruby2.7", "ruby3.2", "ruby3.3"]

[github-actions]

ASH Security Scan Report

• Report generated: 2025-10-13T22:30:52+00:00
• Time since scan: 1 minute

Scan Metadata

• Project: ASH
• Scan executed: 2025-10-13T22:29:38+00:00
• ASH version: 3.1.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

• Severity levels:
  • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
  • Critical (C): Highest severity findings that require immediate attention
  • High (H): Serious findings that should be addressed soon
  • Medium (M): Moderate risk findings
  • Low (L): Lower risk findings
  • Info (I): Informational findings with minimal risk
• Duration (Time): Time taken by the scanner to complete its execution
• Actionable: Number of findings at or above the threshold severity level that require attention
• Result:
  • PASSED = No findings at or above threshold
  • FAILED = Findings at or above threshold
  • MISSING = Required dependencies not available
  • SKIPPED = Scanner explicitly disabled
  • ERROR = Scanner execution error
• Threshold: The minimum severity level that will cause a scanner to fail
  • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
  • Source: Values in parentheses indicate where the threshold is set:
    • global (global_settings section in the ASH_CONFIG used)
    • config (scanner config section in the ASH_CONFIG used)
    • scanner (default configuration in the plugin, if explicitly set)
• Statistics calculation:
  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold

Scanner	Suppressed	Critical	High	Medium	Low	Info	Actionable	Result	Threshold
bandit	0	1	0	0	21	0	1	FAILED	MEDIUM (global)
cdk-nag	0	0	0	0	0	0	0	SKIPPED	MEDIUM (global)
cfn-nag	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
checkov	19	14	0	0	0	0	14	SKIPPED	MEDIUM (global)
detect-secrets	0	0	0	0	0	0	0	SKIPPED	MEDIUM (global)
grype	0	0	0	3	1	0	3	FAILED	MEDIUM (global)
npm-audit	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
opengrep	0	0	0	0	0	0	0	MISSING	MEDIUM (global)
semgrep	0	32	0	0	0	0	32	FAILED	MEDIUM (global)
syft	0	0	0	0	0	0	0	PASSED	MEDIUM (global)
trivy-repo	0	0	0	0	0	0	0	MISSING	MEDIUM (global)

Top 10 Hotspots

Files with the highest number of security findings:

Finding Count	File Location
7	src/applications/microservices/petsearch-java/docker-compose.yml
6	src/applications/lambda/petfood-cleanup-processor-node/index.js
4	src/applications/microservices/payforadoption-go/benchmark/Dockerfile
4	src/applications/lambda/traffic-generator-node/index.js
4	src/applications/microservices/petlistadoptions-py/docker-compose.yml
3	src/applications/microservices/payforadoption-go/Dockerfile
3	src/applications/microservices/petsite-net/petsite/Dockerfile
2	src/applications/microservices/petsearch-java/Dockerfile
2	src/applications/microservices/petlistadoptions-py/Dockerfile
2	src/cdk/lib/microservices/manifests/petsite-deployment.yaml

Detailed Findings

Show 20 of 50 actionable findings

Finding 1: B104

• Severity: HIGH
• Scanner: bandit
• Rule ID: B104
• Location: src/applications/microservices/petlistadoptions-py/app.py:678-680

Description:
Possible binding to all interfaces.

Code Snippet:

# Use localhost for production security, 0.0.0.0 only for containerized environments
    host = os.environ.get("HOST", "0.0.0.0")
    uvicorn.run(app, host=host, port=port)

---

Finding 2: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/petfood-rs/Dockerfile:1-25

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

# Build stage
FROM public.ecr.aws/docker/library/rust:bookworm AS builder
COPY . .
RUN cargo build --release

# Runtime stage
FROM public.ecr.aws/docker/library/debian:bookworm-slim

# Install runtime dependencies and CA certificates
RUN apt-get update && apt-get install -y \
    ca-certificates \
    openssl \
    curl \
    && rm -rf /var/lib/apt/lists/* \
    && update-ca-certificates

COPY --from=builder /target/release/petfood-rs /app/petfood-rs

# Create a non-root user for security
RUN useradd -r -s /bin/false petfood && \
    chown petfood:petfood /app/petfood-rs

USER petfood
EXPOSE 8080
CMD ["/app/petfood-rs"]

---

Finding 3: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

---

Finding 4: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: src/applications/microservices/payforadoption-go/Dockerfile:1-14

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/golang:1.23 as builder
WORKDIR /go/src/app
COPY . .
ENV GOPROXY=https://goproxy.io,direct
RUN go get .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM public.ecr.aws/docker/library/alpine:3.22.1
WORKDIR /app
RUN apk --no-cache add ca-certificates
COPY --from=builder /go/src/app/app .
COPY --from=builder /go/src/app/seed.json .
EXPOSE 80
CMD ["./app"]

---

Finding 5: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

---

Finding 6: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: src/applications/microservices/petsite-net/petsite/Dockerfile:1-22

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY *.csproj .
RUN dotnet restore "PetSite.csproj" --no-cache
COPY . .
RUN dotnet publish "PetSite.csproj" -c Release -o /app/publish

FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS final
WORKDIR /app
EXPOSE 80
ENV ASPNETCORE_HTTP_PORTS=80
# Install AWS CLI and curl for troubleshooting
RUN apt-get update && apt-get install -y curl unzip && \
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
    unzip awscliv2.zip && \
    ./aws/install && \
    rm -rf awscliv2.zip aws && \
    apt-get remove -y unzip && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/*
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "PetSite.dll"]

---

Finding 7: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/petfoodagent-strands-py/Dockerfile:1-40

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
WORKDIR /app

# Configure UV for container environment
ENV UV_SYSTEM_PYTHON=1 UV_COMPILE_BYTECODE=1



COPY requirements.txt requirements.txt
# Install from requirements file
RUN uv pip install -r requirements.txt




RUN uv pip install aws-opentelemetry-distro>=0.10.1


# Set AWS region environment variable

ENV AWS_REGION=us-east-1
ENV AWS_DEFAULT_REGION=us-east-1


# Signal that this is running in Docker for host binding logic
ENV DOCKER_CONTAINER=1

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 8080
EXPOSE 8000

# Copy entire project (respecting .dockerignore)
COPY . .

# Use the full module path

CMD ["opentelemetry-instrument", "python", "-m", "agent"]

---

Finding 8: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

---

Finding 9: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: src/applications/microservices/petsearch-java/Dockerfile:1-17

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/gradle:7.3-jdk17 as build

WORKDIR /app
COPY ./build.gradle ./build.gradle
COPY ./src ./src
COPY ./settings.gradle ./settings.gradle

ENV GRADLE_OPTS "-Dorg.gradle.daemon=false"
RUN gradle build -DexcludeTags='integration' --no-daemon --stacktrace

FROM public.ecr.aws/amazoncorretto/amazoncorretto:17-al2-generic-jdk
WORKDIR /app

ARG JAR_FILE=build/libs/\*.jar
COPY --from=build /app/${JAR_FILE} ./app.jar

ENTRYPOINT ["java","-jar","/app/app.jar"]

---

Finding 10: CKV_DOCKER_7

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_7
• Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1

Description:
Ensure the base image uses a non latest version tag

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder

---

Finding 11: CKV_DOCKER_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_2
• Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

---

Finding 12: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: src/applications/microservices/payforadoption-go/benchmark/Dockerfile:1-6

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/rust:latest:latest as builder
WORKDIR /app
RUN
COPY . .
RUN cargo install drill
CMD ["./benchmark.sh"]

---

Finding 13: CKV_DOCKER_3

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_DOCKER_3
• Location: src/applications/microservices/petlistadoptions-py/Dockerfile:1-49

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.11-slim as builder

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    gcc \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

# Production stage
FROM public.ecr.aws/docker/library/python:3.11-slim

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    libpq5 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy Python packages from builder
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy application code
COPY --from=builder /app .

# Make start script executable
RUN chmod +x start.sh

# Create non-root user for future use (but run as root for port 80 access)
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app

# Add health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:80/health/status || exit 1

EXPOSE 80

# Use startup script (running as root for port 80 access)
CMD ["./start.sh"]

---

Finding 14: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: .github/workflows/tests.yml:1

Description:
Ensure top-level permissions are not set to write-all

---

Finding 15: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: .github/workflows/pre-commit.yml:1

Description:
Ensure top-level permissions are not set to write-all

---

Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• Severity: HIGH
• Scanner: semgrep
• Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
• Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:61

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete S3 object s3://${bucket}/${key}:`, error.message);

---

Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• Severity: HIGH
• Scanner: semgrep
• Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
• Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:82

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.error(`Failed to delete DynamoDB record for food ${foodId}:`, error.message);

---

Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• Severity: HIGH
• Scanner: semgrep
• Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
• Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:108

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Attempt ${attempt} failed, retrying in ${delay}ms:`, error.message);

---

Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• Severity: HIGH
• Scanner: semgrep
• Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
• Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:133

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Processing cleanup event for food ${eventData.foodId}`, {

---

Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

• Severity: HIGH
• Scanner: semgrep
• Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
• Location: src/applications/lambda/petfood-cleanup-processor-node/index.js:182

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

`Cleanup processing completed successfully for food ${eventData.foodId}`,

Note: Showing 20 of 50 total actionable findings. Configure max_detailed_findings to adjust this limit.

---

Report generated by Automated Security Helper (ASH) at 2025-10-13T22:30:52+00:00