Skip to content

Commit

Permalink
feat: add ASH, Bandit and CDK Nag (#530)
Browse files Browse the repository at this point in the history
### Feature or Bugfix
- Feature

### Detail
Add ASH, Bandit and CDK Nag security checks.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: dlpzx <[email protected]>
  • Loading branch information
jaidisido and dlpzx authored Sep 13, 2023
1 parent d7bbffd commit 13c1baf
Show file tree
Hide file tree
Showing 7 changed files with 125 additions and 11 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/ash.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: ASH

on:
workflow_dispatch:

permissions:
contents: read

jobs:
ash:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: git clone https://github.com/aws-samples/automated-security-helper.git /tmp/ash
- name: ASH
run: /tmp/ash/ash --source-dir .
- name: Upload Artifact
if: always()
uses: actions/upload-artifact@v3
with:
name: ash-report
path: aggregated_results.txt
32 changes: 32 additions & 0 deletions .github/workflows/bandit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Bandit

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main

permissions:
contents: read

jobs:
bandit:
strategy:
matrix:
python-version: [3.8]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: |
python -m pip install --upgrade pip
python -m pip install bandit
- name: Bandit
run: bandit -r -lll -ii .
52 changes: 52 additions & 0 deletions .github/workflows/cdk-nag.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: CDK Nag

on:
workflow_dispatch:
push:
paths:
- "deploy/**"
branches:
- main
pull_request:
paths:
- "deploy/**"
branches:
- main

permissions:
id-token: write
contents: read

jobs:
cdk-nag:
strategy:
matrix:
python-version: [3.8]
env:
AWS_DEFAULT_REGION: us-east-1
runs-on: ubuntu-latest
steps:
- name: Git clone
uses: actions/checkout@v3
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::020286015001:role/aws-dataall-github-actions
role-session-name: dataall-gh-act
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Set up Node.js
uses: actions/setup-node@v3
- name: Install CDK
run: |
npm install -g aws-cdk cdk-nag
cdk --version
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Upgrade Pip
run: python -m pip install --upgrade pip
- name: Install Requirements
run: python -m pip install -r deploy/requirements.txt
- name: CDK Synth
run: npx cdk synth
6 changes: 3 additions & 3 deletions backend/dataall/base/cdkproxy/cdk_cli_wrapper.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ def aws_configure(profile_name='default'):
print('..............................................')
print(f"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI: {os.getenv('AWS_CONTAINER_CREDENTIALS_RELATIVE_URI')}")
cmd = ['curl', '169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
process = subprocess.run(' '.join(cmd), text=True, shell=True, encoding='utf-8', capture_output=True) # nosemgrep
process = subprocess.run(' '.join(cmd), text=True, shell=True, encoding='utf-8', capture_output=True) # nosec # nosemgrep
creds = None
if process.returncode == 0:
creds = ast.literal_eval(process.stdout)
Expand Down Expand Up @@ -163,7 +163,7 @@ def deploy_cdk_stack(engine: Engine, stackid: str, app_path: str = None, path: s
process = subprocess.run( # nosemgrep
' '.join(cmd), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
env=env, # nosemgrep
cwd=cwd, # nosemgrep
Expand Down Expand Up @@ -214,7 +214,7 @@ def cdk_installed():
subprocess.run( # nosemgrep
cmd, # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
stdout=subprocess.PIPE, # nosemgrep
stderr=subprocess.PIPE, # nosemgrep
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ def __init__(self, target_uri):
process = subprocess.run( # nosemgrep
"; ".join(update_cmds), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
cwd=self.code_dir_path, # nosemgrep
env=self.env # nosemgrep
Expand All @@ -102,7 +102,7 @@ def initialize_repo(self):
process = subprocess.run( # nosemgrep
'; '.join(cmd_init), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
cwd=self.code_dir_path, # nosemgrep
env=self.env # nosemgrep
Expand Down Expand Up @@ -204,7 +204,7 @@ def git_push_repo(self):
process = subprocess.run( # nosemgrep
'; '.join(git_cmds), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
cwd=os.path.join(self.code_dir_path, self.pipeline.repo), # nosemgrep
env=self.env # nosemgrep
Expand All @@ -228,7 +228,7 @@ def clean_up_repo(path):
process = subprocess.run( # nosemgrep
' '.join(precmd), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
capture_output=True, # nosemgrep
cwd=cwd # nosemgrep
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ def __init__(self, scope, id, target_uri: str = None, **kwargs):
process = subprocess.run( # nosemgrep
"; ".join(update_cmds), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
cwd=code_dir_path, # nosemgrep
env=env_vars # nosemgrep
Expand Down Expand Up @@ -524,7 +524,7 @@ def initialize_repo(pipeline, code_dir_path, env_vars):
process = subprocess.run( # nosemgrep
'; '.join(cmd_init), # nosemgrep
text=True, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
encoding='utf-8', # nosemgrep
cwd=code_dir_path, # nosemgrep
env=env_vars # nosemgrep
Expand Down
4 changes: 2 additions & 2 deletions deploy/stacks/solution_bundling.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,12 @@ def try_bundle(self, output_dir: str, options: BundlingOptions) -> bool:
subprocess.check_output( # nosemgrep
command, # nosemgrep
stderr=subprocess.STDOUT, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
)

ls_output = subprocess.check_output( # nosemgrep
[f'ls -ll {output_dir}'], # nosemgrep
stderr=subprocess.STDOUT, # nosemgrep
shell=True, # nosemgrep
shell=True, # nosec # nosemgrep
)
return True

0 comments on commit 13c1baf

Please sign in to comment.