aws · mergify · May 1, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 16, 2025
diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml
@@ -9,59 +9,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Fetches full history
+          fetch-depth: 0  # Required to enable full git diff
 
-      - name: Get list of changed .template.json files
-        id: filter_files
-        run: |
-          echo "Getting changed CloudFormation templates..."
-          mkdir -p changed_templates
-
-          git fetch origin main --depth=1
-
-          base_sha="${{ github.event.pull_request.base.sha }}"
-          head_sha="${{ github.event.pull_request.head.sha }}"
-          if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi
-          if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi
-
-          git diff --name-status "$base_sha" "$head_sha" \
-            | grep -E '^(A|M)\s+.*\.template\.json$' \
-            | awk '{print $2}' > changed_files.txt || true
-
-          while IFS= read -r file; do
-            if [ -f "$file" ]; then
-              safe_name=$(echo "$file" | sed 's|/|_|g')
-              cp "$file" "changed_templates/$safe_name"
-            else
-              echo "::warning::Changed file not found in workspace: $file"
-            fi
-          done < changed_files.txt
-
-          if [ -s changed_files.txt ]; then
-            echo "files_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "files_changed=false" >> $GITHUB_OUTPUT
-          fi
-
       - name: Install cfn-guard
-        if: steps.filter_files.outputs.files_changed == 'true'
         run: |
           mkdir -p $HOME/.local/bin
           curl -L -o cfn-guard.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-v3-x86_64-ubuntu-latest.tar.gz
           tar -xzf cfn-guard.tar.gz
           mv cfn-guard-v3-*/cfn-guard $HOME/.local/bin/cfn-guard
           chmod +x $HOME/.local/bin/cfn-guard
           echo "$HOME/.local/bin" >> $GITHUB_PATH
-  
+
       - name: Install & Build security-guardian
-        if: steps.filter_files.outputs.files_changed == 'true'
         run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build
 
-      - name: Run cfn-guard if templates changed
-        if: steps.filter_files.outputs.files_changed == 'true'
+      - name: Run Security Guardian
         uses: ./tools/@aws-cdk/security-guardian
         with:
-          data_directory: './changed_templates'
-          rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard'
+          base_sha: ${{ github.event.pull_request.base.sha }}
+          head_sha: ${{ github.event.pull_request.head.sha }}
+          rule_set_path: './tools/@aws-cdk/security-guardian/rules'
           show_summary: 'fail'
-          output_format: 'single-line-summary'
+          output_format: 'json'
diff --git a/tools/@aws-cdk/security-guardian/README.md b/tools/@aws-cdk/security-guardian/README.md
@@ -1,41 +1,41 @@
 # Security Guardian
 
-A GitHub Action tool designed to 
- - detect broadly scoped inline policies in `*.template.json` files in incoming PRs and validate changed AWS CloudFormation templates against custom [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) rules. Supports local paths for custom rule sets.
- - [in future] detect broadly scoped CFN intrinsic statements
+A GitHub Action and CLI tool that helps detect broadly scoped IAM principals in CloudFormation templates by:
+
+- Validating **changed** `*.template.json` files in pull requests using custom [cfn-guard v3](https://github.com/aws-cloudformation/cloudformation-guard) rules.
+- Detecting **broadly scoped IAM principals** using CloudFormation **intrinsic functions** (e.g., `Fn::Join` with `:root`).
 
 ---
 
 ## Features
 
-- Validates only changed `*.template.json` files in PRs
-- Supports `cfn-guard v3`
-- Accepts rules from a local file or remote URL
-- Outputs validation results in summary format
+ Validates **only changed** templates in a PR  
+ Supports **cfn-guard v3** with rule sets  
+ Scans for **broad IAM principals using intrinsics**  
+ Runs locally and in GitHub Actions  
+ Outputs human-readable and machine-parsable summaries
 
 ---
 
-## Inputs
-
-| Name             | Description                                                       | Required | Default               |
-|------------------|-------------------------------------------------------------------|----------|-----------------------|
-| `data_directory` | Directory containing templates to validate                        | Yes      |                       |
-| `rule_file_path` | Local path to the rules file                                      | Yes      |                       |
-| `show_summary`   | Whether to show summary output (`fail`, `warn`, `none`)           | No       | `fail`                |
-| `output_format`  | Output format (`single-line-summary`, `json`, etc.)               | No       | `single-line-summary` |
+## Inputs (GitHub Action)
 
-> `data_directory` and `rule_file_path` must be set.
+| Name             | Description                                          | Required | Default               |
+|------------------|------------------------------------------------------|----------|-----------------------|
+| `rule_set_path`  | Local path to the cfn-guard rules file               | No       | `./rules`             |
+| `show_summary`   | Show summary (`none`, `all`, `pass`, `fail`, `skip`) | No       | `fail`                |
+| `output_format`  | Output format (`single-line-summary`, `json`, etc.)  | No       | `single-line-summary` |
+| `base_sha`       | Commit SHA to compare against                        | No       | `origin/main`         |
+| `head_sha`       | The commit SHA for the head (current) branch or PR   | No       | `HEAD`                |
 
 ---
 
-## Usage
+## Usage (GitHub Action)
 
 ```yaml
-- name: Run CFN Guard
+- name: Run Security Guardian
   uses: ./tools/@aws-cdk/security-guardian
   with:
-    data_directory: './changed_templates'
-    rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard'
+    rule_set_path: './tools/@aws-cdk/security-guardian/rules'
     show_summary: 'fail'
     output_format: 'single-line-summary'
 ```
@@ -44,28 +44,52 @@ A GitHub Action tool designed to
 
 ## Local Development
 
-### 1. Build
+### 1. Install Dependencies
 ```bash
-npm install
-npm run build
+cd tools/@aws-cdk/security-guardian && yarn install
 ```
 
 ### 2. Run Locally
+The tool automatically detects changed templates and validates them.
+
 ```bash
-node dist/index.js \
-  --data_directory=./changed_templates \
-  --rule_file_path=./rules.guard \
-  --output_format=single-line-summary \
-  --show_summary=fail
+yarn security-guardian
 ```
 
+> You can override defaults using:
+> - `--base_sha=origin/main`  
+> - `--output_format=json`  
+> - `--show_summary=warn`
+
 ---
 
-## Acknowledgments
+## Output
+
+In addition to validation results from `cfn-guard`, the tool logs detailed findings from the intrinsic scan (if applicable), such as:
 
-Built on top of [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) and [GitHub Actions Toolkit](https://github.com/actions/toolkit).
+```
+detailed_output File: changed_templates/example.template.json
+{
+  "Action": "kms:*",
+  "Effect": "Allow",
+  "Principal": {
+    "AWS": {
+      "Fn::Join": [
+        "",
+        ["arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root"]
+      ]
+    }
+  },
+  "Resource": "*"
+}
+```
 
 ---
 
-Happy Guarding! 
+## Acknowledgments
+
+Built with care on top of [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) and the [GitHub Actions Toolkit](https://github.com/actions/toolkit).
+
+---
 
+Happy Guarding!