Skip to content

chore: refactored security guardian tool and security-guardian action. Enables local run. #34158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

chore: refactored security guardian tool and security-guardian action. Enables local run. #34158

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c9e348f
resolves bad object error when its run in the context of main branch …
QuantumNeuralCoder Apr 15, 2025
6aed2c7
add intrinsics scan
QuantumNeuralCoder Apr 15, 2025
a14568e
changed file detection and local security-guardian run
QuantumNeuralCoder Apr 16, 2025
c9d7b29
changed file detection and local security-guardian run
QuantumNeuralCoder Apr 16, 2025
9149bb6
changed file detection and local security-guardian run
QuantumNeuralCoder Apr 16, 2025
3e1b575
README update and better changed_template handling
QuantumNeuralCoder Apr 16, 2025
f5129c1
Merge branch 'main' into s-g3
QuantumNeuralCoder Apr 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 6 additions & 40 deletions .github/workflows/security-guardian.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Security Guardian
on:
pull_request_target: {}
pull_request: {}

jobs:
run-security-guardian:
Expand All @@ -9,59 +9,25 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetches full history
fetch-depth: 0 # Required to enable full git diff

- name: Get list of changed .template.json files
id: filter_files
run: |
echo "Getting changed CloudFormation templates..."
mkdir -p changed_templates

git fetch origin main --depth=1

base_sha="${{ github.event.pull_request.base.sha }}"
head_sha="${{ github.event.pull_request.head.sha }}"
if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi
if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi

git diff --name-status "$base_sha" "$head_sha" \
| grep -E '^(A|M)\s+.*\.template\.json$' \
| awk '{print $2}' > changed_files.txt || true

while IFS= read -r file; do
if [ -f "$file" ]; then
safe_name=$(echo "$file" | sed 's|/|_|g')
cp "$file" "changed_templates/$safe_name"
else
echo "::warning::Changed file not found in workspace: $file"
fi
done < changed_files.txt

if [ -s changed_files.txt ]; then
echo "files_changed=true" >> $GITHUB_OUTPUT
else
echo "files_changed=false" >> $GITHUB_OUTPUT
fi

- name: Install cfn-guard
if: steps.filter_files.outputs.files_changed == 'true'
run: |
mkdir -p $HOME/.local/bin
curl -L -o cfn-guard.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-v3-x86_64-ubuntu-latest.tar.gz
tar -xzf cfn-guard.tar.gz
mv cfn-guard-v3-*/cfn-guard $HOME/.local/bin/cfn-guard
chmod +x $HOME/.local/bin/cfn-guard
echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Install & Build security-guardian
if: steps.filter_files.outputs.files_changed == 'true'
run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build

- name: Run cfn-guard if templates changed
if: steps.filter_files.outputs.files_changed == 'true'
- name: Run Security Guardian
uses: ./tools/@aws-cdk/security-guardian
with:
data_directory: './changed_templates'
base_sha: ${{ github.event.pull_request.base.sha }}
head_sha: ${{ github.event.pull_request.head.sha }}
rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard'
show_summary: 'fail'
output_format: 'single-line-summary'
Loading
Loading