Skip to content

chore: refactored security guardian tool and security-guardian action. Enables local run. #34158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

chore: refactored security guardian tool and security-guardian action. Enables local run. #34158

wants to merge 7 commits into from
+517 −97

Conversation

QuantumNeuralCoder
Copy link
Contributor

Issue # (if applicable)

None
Closes #.
NA

Reason for this change

With this change, developers can locally run security guardian against committed files to detect changed .template.json and run the 2 part scanner

  1. cfn-guard to detect inline
  2. custom scanner to detect intrinsics

Please note that this will detect templates where the developer has explicitly provided broadened scope permissions like
new AccountPrincipal();
We will use this as an opportunity to review if that is really needed or can be scoped down.

> cd tools/@aws-cdk/security-guardian
>yarn security-guardian

Description of changes

Describe any new or updated permissions being added

Description of how you validated changes

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team April 16, 2025 00:57
@github-actions github-actions bot added the p2 label Apr 16, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Apr 16, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Apr 16, 2025
@moelasmar
Copy link
Contributor

can you also update the contributing readme to include the instructions to run this tool

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f5129c1
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moelasmar moelasmar moelasmar left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@QuantumNeuralCoder @moelasmar @aws-cdk-automation