Commit 8d566fc
feat: add security scanners workflow (awslabs#161)
* feat: auto-label PRs using actions/labeler
Adds an auto-label job to the Pull Request Validation workflow using
actions/labeler v6.0.1. Labels are applied based on changed file paths
and removed when those files are no longer changed (sync-labels: true).
Works for fork PRs via pull_request_target — no checkout of fork code,
the action only reads file paths from the API.
Initial label rules:
- codebuild: aidlc-rules/**
- documentation: **/*.md, docs/**
- workflows: .github/**
* refactor: rename label to 'rules', refine labeler config
- Rename 'codebuild' label to 'rules' in codebuild.yml (conditions,
reminder text, and marker)
- Rename 'workflows' label to 'github' matching .github/**
- Scope 'documentation' label to *.md files NOT under aidlc-rules/
using all-globs-to-any-file with negation
* fix: add issues:write permission for auto-label job
Allows actions/labeler to create labels that don't yet exist in the
repository, preventing failures on first use of a new label rule.
* docs: update administrative guide for auto-labeling and rules label
- Rename all 'codebuild' label references to 'rules' (preserving
CodeBuild service/environment references)
- Add auto-label job to Pipeline 3 diagram and workflow reference
- Document label rules table (rules, documentation, github)
- Add actions/labeler to external actions table
- Add auto-label job to permissions table
- Add labeler.yml to repository tree diagram
* feat: add security scanners workflow
Adds five security scanning jobs as a new workflow:
- gitleaks: secret detection across full git history
- semgrep: SAST with SARIF output and GitHub compatibility fixes
- grype: dependency vulnerability scanning
- checkov: IaC scanning (GitHub Actions workflows, configs)
- clamav: malware scanning via service container
All jobs run on push to main, PRs to main, daily schedule, and
manual dispatch. SARIF results are uploaded as artifacts and to
GitHub Code Scanning (when available). Follows the deny-all
permissions pattern with per-job grants.
* feat: add bandit job for Python SAST scanning
Scans Python code under scripts/aidlc-evaluator/ for security issues.
Uses bandit v1.9.3 with SARIF output, matching the pattern from
awslabs/agent-plugins.
* feat: add security scanner configuration and baseline files
- .gitleaks.toml: extends default rules, allowlists lock files
- .gitleaks-baseline.json: baselines 12 known findings (all fake
credentials in test_credential_scrubber.py test fixtures)
- .semgrepignore: skips lock files, test fixtures, build artifacts
- .checkov.yaml: scopes to github_actions + dockerfile frameworks,
skips CKV_GHA_7 (conflicts with inline buildspec pattern)
- .bandit: targets scripts/aidlc-evaluator, excludes tests,
medium+ confidence only
- .grype.yaml: fail-on-severity high, with placeholder ignore list
* chore: add gitleaks baseline to semgrepignore and expand comments
Add .gitleaks-baseline.json to .semgrepignore and expand all ignore
comments with specific reasoning for why each entry is excluded from
Semgrep scanning.
* fix: raise bandit confidence to high, add suppression docs, fix clamav deferred failure
- Raise bandit confidence-level from medium to high to reduce noise
- Add inline suppression documentation to .grype.yaml and .checkov.yaml
- Fix clamav job to use deferred-failure pattern (always upload artifact
before failing) consistent with all other scanner jobs
* docs: add security scanner remediation guide to DEVELOPERS_GUIDE
Document each scanner's failure thresholds, how to review findings,
and how to remediate or suppress them (inline comments, config-level
ignores, baselines). Includes summary tables for quick reference.
* docs: add security scanners to ADMINISTRATIVE_GUIDE
Add security-scanners.yml workflow reference, Pipeline 3 architecture
diagram, updated permissions model and security posture tables, and
Security Finding Requirements section requiring all HIGH and CRITICAL
findings to be remediated or have documented risk acceptance.
* fix: apply deny-all permissions to release workflows
Move release.yml, release-pr.yml, and tag-on-merge.yml to the same
deny-all-then-grant pattern used by all other workflows. All 16
permission scopes are now set to none at the workflow level with only
the required scopes granted at the job level.
* chore: update security scanner tools and actions to latest versions
Scanner tools:
- Gitleaks 8.30.0 → 8.30.1
- Semgrep 1.151.0 → 1.157.0
- Grype 0.104.3 → 0.110.0
- Bandit 1.9.3 → 1.9.4
- Checkov 3.2.500 → 3.2.513
- ClamAV image digest updated to latest stable
GitHub Actions:
- github/codeql-action v4.32.2 → v4.35.1
Remove specific version numbers from ADMINISTRATIVE_GUIDE docs (they
go stale), note that versions are pinned and should be updated
periodically, and add TODO for update procedure documentation.
* fix: move exit code interpolation from run: blocks to env: variables
Replace six instances of ${{ steps.*.outputs.exit_code }} in run:
blocks with step-level env: variables, eliminating all expression
interpolation in run: blocks. This restores the "zero ${{ }}
interpolation in run: blocks" invariant documented in the Security
Posture table.
* fix: include event_name in concurrency group to protect scheduled scans
Add github.event_name to the concurrency group key so that scheduled
runs (group: ...-schedule-refs/heads/main) and push runs (group:
...-push-refs/heads/main) use separate groups. This prevents a push
to main from silently cancelling the daily scheduled scan.
* docs: merge duplicate deny-all-then-grant paragraphs in admin guide
Remove the contradictory paragraph that listed only three workflows
and merge its "strictest possible configuration" clause into the
correct paragraph that covers all six workflows.
* fix: use .bandit configuration
Co-authored-by: Copilot <[email protected]>
* fix(doc): Update how bandit looks for files
Co-authored-by: Copilot <[email protected]>
* fix: add issues write to create labels as necessary
Co-authored-by: Copilot <[email protected]>
* fix: remove security event write to clamav
Co-authored-by: Copilot <[email protected]>
* fix: load grype configurations
Co-authored-by: Copilot <[email protected]>
* fix: convert .bandit config from INI to YAML format
Bandit 1.9.4 expects YAML config but .bandit used legacy INI format,
causing a parse error (exit code 2) that failed the CI job. Convert to
valid YAML and add -ll flag for high-confidence filtering.
* fix: report all bandit findings in SARIF, fail only on HIGH severity
- Remove -ll severity filter so LOW/MEDIUM/HIGH all appear in SARIF
- Check SARIF for HIGH severity (level=error) to decide pass/fail
- Move scan targets into .bandit config so new Python directories
can be added without editing the workflow
* fix: semgrep reports all findings, fails only on ERROR severity
Match the bandit pattern: report all severity levels in SARIF for
GitHub Code Scanning visibility, but only fail the build when
ERROR-level findings exist.
* fix: checkov reports all findings, fails only on ERROR severity
Match the bandit/semgrep pattern: report all severity levels in SARIF
for GitHub Code Scanning visibility, but only fail the build when
ERROR-level findings exist.
* fix: remove duplicate semgrep step id
* fix: restore -r flag for bandit targets
The YAML config does not support a "targets" key — that was
INI-format only. Without -r on the CLI, bandit gets no scan
targets and produces an empty SARIF file.
---------
Co-authored-by: Scott Schreckengaust <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Sam Castro Oropeza <[email protected]>1 parent b56dfdc commit 8d566fc
12 files changed
Lines changed: 1076 additions & 17 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
26 | | - | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
27 | 40 | | |
28 | 41 | | |
29 | 42 | | |
30 | 43 | | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
31 | 48 | | |
32 | 49 | | |
33 | 50 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
28 | 42 | | |
29 | 43 | | |
30 | 44 | | |
31 | 45 | | |
| 46 | + | |
| 47 | + | |
32 | 48 | | |
33 | 49 | | |
34 | 50 | | |
| |||
0 commit comments