chore: refactored security guardian tool and security-guardian action. Enables local run. #34158
Conversation
aws-cdk-automation
added
the
pr/needs-maintainer-review
.../changed_templates/tools_@aws-cdk_security-guardian_test_templates_CMCMK-Stack.template.json
Outdated
Show resolved
Hide resolved
|
can you also update the contributing readme to include the instructions to run this tool |
There was a problem hiding this comment.
Thanks @QuantumNeuralCoder for implementing this tool. Left some comments for your consideration.
| await exec.exec('cfn-guard', [ | ||
| 'validate', |
There was a problem hiding this comment.
nit: may be good to check if the cfn-guard is installed before this execution. Given the tool can be executed locally it might be good to throw an error if it is not installed.
There was a problem hiding this comment.
Solution is to add something like
execSync('cfn-guard --version', { stdio: 'ignore' });
and then log it. Dont know if that would make much of a difference for local run.
In the Github action, its installed and built as 2 steps prior to running this tool
There was a problem hiding this comment.
When we want to run locally, does yarn install will automatically install the cfn-guard or we should manually install similar to these steps in the Github action. If we need to install manually, would be good to update the readme for the cfn-guard installation in the local developement section.
| let matches: Array<{ filePath: string, statements: any[] }> = []; | ||
| let totalFiles = 0; | ||
|
|
||
| function isRootPrincipal(statement: any): boolean { |
There was a problem hiding this comment.
I think it would be good to define as an interface for IAMStatement and use it here instead of using as any type.
Eg:
interface IAMStatement {
Effect: ...;
Principal?: {
AWS?: ...;
Service?: ...;
};
Action?: ...;
Resource?: ...;
}
There was a problem hiding this comment.
Problem is it will limit the pattern match to statements. Currently its for statements, we want to catch/ highlight if this pattern is used anywhere else (ie future proof). Let me know if you feel strongly about it.
|
|
||
| async function run(): Promise<void> { | ||
| const errors: string[] = []; | ||
| let workingDir: string = './changed_templates'; |
There was a problem hiding this comment.
I understand we are using the workingDir to store all the changed templates and run the cfnguard and intrinsic checks on this directory. However, I have a concern about file traceability. Currently, when files are copied to the working directory (./changed_templates), the mapping to their original paths is lost. This might make it difficult for developers to trace back the issues found by cfn-guard and intrinsic checks to the actual source files. For example, in a PR with multiple changed template files, developers might struggle to identify which specific template in their repository needs fixing.
I'm thinking a file mapping mechanism to maintain the relationship between original file paths and their copies in the working directory might help so the validation result can show the path of the original file path in the output.
Also another approach could be avoiding copying the changed templates to a separate directory and instead process the scan directly from the original file where we could able to track. However, this might not be feasible as cfn-guard's --data option may have limitations with processing multiple template files. I'm not sure about this.
Let me know your thoughts.
There was a problem hiding this comment.
/ are replaced by _. Full path is given in the filename. Makes it an easier read except for large PRs. Currently I am deleting the changed templates. which maybe something we need to look at from local run perspective. let me think.
There was a problem hiding this comment.
Discussed offline. This needs more deep dive and will work on a separate PR. Not a blocker for this PR.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
None
Closes #.
NA
Reason for this change
With this change, developers can locally run security guardian against committed files to detect changed .template.json and run the 2 part scanner
Please note that this will detect templates where the developer has explicitly provided broadened scope permissions like
new AccountPrincipal();
We will use this as an opportunity to review if that is really needed or can be scoped down.
Description of changes
Describe any new or updated permissions being added
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license