From 768e0c086017a9053aff7d61d4243daf2b487b4d Mon Sep 17 00:00:00 2001 From: Martin Schaef Date: Fri, 17 Nov 2023 15:23:13 -0500 Subject: [PATCH 1/3] Adding CodeGuru Github Action --- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../index.py | 2 +- .../lib/aws-s3-deployment/bucket-deployment-handler/index.py | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs/test/ec2/integ.environment-file.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-cloudfront.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-data.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-deployed-bucket.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-deployed-bucket.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-deployed-bucket.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-deployed-bucket.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-signcontent.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution-with-role.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution-with-role.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution-with-role.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution-with-role.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-substitution.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment.js.snapshot/asset.0b1f5aa55d045066ed91316b823a808060c12737e0575ab7cefe2335324108b0/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.nested-stack-in-product-stack.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.nested-stack-in-product-stack.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.nested-stack-in-product-stack.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.nested-stack-in-product-stack.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.product.encrypted.asset.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.product.encrypted.asset.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.product.encrypted.asset.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-servicecatalog/test/integ.product.encrypted.asset.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py b/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py index 95c458826a0b0..3bd28a62627a4 100644 --- a/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py +++ b/packages/@aws-cdk/aws-appconfig-alpha/test/integ.configuration.js.snapshot/asset.9eb41a5505d37607ac419321497a4f8c21cf0ee1f9b4a6b29aa04301aea5c7fd/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py b/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py index f7427567ce864..4015927d9c843 100644 --- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py +++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-s3-deployment/bucket-deployment-handler/index.py @@ -108,7 +108,7 @@ def cfn_error(message=None): physical_id = "aws.cdk.s3deployment.%s" % str(uuid4()) else: if not physical_id: - cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % request_type) + cfn_error("invalid request: request type is '%s' but 'PhysicalResourceId' is not defined" % {request_type}) return # delete or create/update (only if "retain_on_delete" is false) From b8cbdbf57608549f9cbc248a547a9a9887c707d0 Mon Sep 17 00:00:00 2001 From: Martin Schaef Date: Fri, 17 Nov 2023 15:24:29 -0500 Subject: [PATCH 2/3] adding action file --- .github/workflows/codeguru.yml | 46 ++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/codeguru.yml diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml new file mode 100644 index 0000000000000..5534d0d842f83 --- /dev/null +++ b/.github/workflows/codeguru.yml @@ -0,0 +1,46 @@ +name: CodeGuru Security Example +on: + push: + branches: + - 'main' + +permissions: + id-token: write + # for writing security events. + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout Respository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Configure aws credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::048169001733:role/GuruGitHubCICDRole + aws-region: us-east-1 + role-session-name: GitHubActionScript + + - name: CodeGuru Security + uses: aws-actions/codeguru-security@v1 + with: + source_path: . + aws_region: us-east-1 + fail_on_severity: Critical + - name: Print findings + run: | + ls -l + cat codeguru-security-results.sarif.json + + - name: Upload result + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: codeguru-security-results.sarif.json + From 726f977305c2627876b96e743f151662ffc22b45 Mon Sep 17 00:00:00 2001 From: Martin Schaef Date: Fri, 17 Nov 2023 15:51:13 -0500 Subject: [PATCH 3/3] fixing action name --- .github/workflows/codeguru.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index 5534d0d842f83..ecaff91bb2c66 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -1,4 +1,4 @@ -name: CodeGuru Security Example +name: CodeGuru Security on: push: branches: