From f36a8ce239aa29c89d85097d610a239351028714 Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 11:08:19 -0700 Subject: [PATCH 1/7] feat: prevent versioned 3P GitHub actions in PR builds Add validation step to require commit SHAs instead of version tags for third-party GitHub actions in workflow files. --- .github/workflows/pr-build.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 70302e309..bbff21e63 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -16,7 +16,7 @@ permissions: contents: read jobs: - changelog-check: + static-code-checks: runs-on: ubuntu-latest steps: - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 @@ -24,6 +24,7 @@ jobs: fetch-depth: 0 - name: Check CHANGELOG + continue-on-error: true run: | # Check if PR is from workflows bot or dependabot if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then @@ -52,6 +53,28 @@ jobs: echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR." exit 1 + - name: Check for versioned GitHub actions + continue-on-error: true + run: | + # Get changed GitHub workflow/action files + CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) + + if [ -n "$CHANGED_FILES" ]; then + # Check for any versioned actions + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES || true) + if [ -n "$VIOLATIONS" ]; then + echo "Found versioned GitHub actions. Use commit SHAs instead:" + echo "$VIOLATIONS" + exit 1 + fi + fi + + echo "No versioned actions found in changed files" + + - name: Fail if any of the above checks failed + if: failure() + run: exit 1 + build: runs-on: ubuntu-latest strategy: From ea120dd9d789173eaf8b4a7fe286931987a20dfc Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 11:12:47 -0700 Subject: [PATCH 2/7] Fix no runs --- .github/workflows/pr-build.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index bbff21e63..2b8ad9f17 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -24,7 +24,7 @@ jobs: fetch-depth: 0 - name: Check CHANGELOG - continue-on-error: true + if: always() run: | # Check if PR is from workflows bot or dependabot if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then @@ -54,7 +54,7 @@ jobs: exit 1 - name: Check for versioned GitHub actions - continue-on-error: true + if: always() run: | # Get changed GitHub workflow/action files CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) @@ -71,10 +71,6 @@ jobs: echo "No versioned actions found in changed files" - - name: Fail if any of the above checks failed - if: failure() - run: exit 1 - build: runs-on: ubuntu-latest strategy: From 6dc578f54b9f74a91c4761c19ce255a9d4c72748 Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 11:16:24 -0700 Subject: [PATCH 3/7] Fix comments/greps --- .github/workflows/pr-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 2b8ad9f17..bc2d37b7d 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -60,8 +60,8 @@ jobs: CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true) if [ -n "$CHANGED_FILES" ]; then - # Check for any versioned actions - VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES || true) + # Check for any versioned actions, excluding comments and this validation script + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "^\s*#" || true) if [ -n "$VIOLATIONS" ]; then echo "Found versioned GitHub actions. Use commit SHAs instead:" echo "$VIOLATIONS" From f2f05238fa228a26c211f5ffcba78725e92fe49d Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 11:20:37 -0700 Subject: [PATCH 4/7] Test findings --- .github/actions/lambda_artifacts_build/action.yml | 2 ++ .github/workflows/daily-scan.yml | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/actions/lambda_artifacts_build/action.yml b/.github/actions/lambda_artifacts_build/action.yml index ee01d2d8c..dec5d4b33 100644 --- a/.github/actions/lambda_artifacts_build/action.yml +++ b/.github/actions/lambda_artifacts_build/action.yml @@ -27,6 +27,7 @@ inputs: runs: using: "composite" steps: + - uses: actions/checkout@v4 - name: Build sample lambda function shell: bash working-directory: ${{ inputs.layer_directory }}/sample-apps @@ -38,6 +39,7 @@ runs: ./build-lambda-layer.sh pip install tox tox + - uses: actions/checkout@v4 #v4 - name: Upload Layer to S3 shell: bash run: | diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml index bc699bdae..0ffe3a0fa 100644 --- a/.github/workflows/daily-scan.yml +++ b/.github/workflows/daily-scan.yml @@ -25,6 +25,7 @@ jobs: scan_and_report: runs-on: ubuntu-latest steps: + # - uses: actions/checkout@v4 - name: Checkout repo for dependency scan uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 with: @@ -35,6 +36,7 @@ jobs: with: python-version: "3.10" + # - uses: actions/checkout@v4 #v4 - name: Create requirements.txt for dependency scan run: | python -m venv env @@ -49,6 +51,8 @@ jobs: java-version: 17 distribution: 'temurin' + - uses: actions/checkout@v4 #v4 + - name: Configure AWS credentials for dependency scan uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0 with: @@ -56,7 +60,7 @@ jobs: aws-region: ${{ env.AWS_DEFAULT_REGION }} - name: Get NVD API key for dependency scan - uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10 + uses: aws-actions/aws-secretsmanager-get-secrets@2 id: nvd_api_key with: secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }} @@ -99,6 +103,7 @@ jobs: severity: 'CRITICAL,HIGH' logout: 'false' + - uses: actions/checkout@v4 - name: Perform low image scan if: always() id: low_scan From a98c1437a3d8df1f7b83a97c25afd2f73f41734d Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 12:07:37 -0700 Subject: [PATCH 5/7] fix comments --- .github/workflows/pr-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index bc2d37b7d..b863c68cd 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -61,7 +61,7 @@ jobs: if [ -n "$CHANGED_FILES" ]; then # Check for any versioned actions, excluding comments and this validation script - VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "^\s*#" || true) + VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true) if [ -n "$VIOLATIONS" ]; then echo "Found versioned GitHub actions. Use commit SHAs instead:" echo "$VIOLATIONS" From 1f41ba901139086d91e8491d38ce6acba32bb611 Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 12:10:17 -0700 Subject: [PATCH 6/7] Revert "Test findings" This reverts commit f2f05238fa228a26c211f5ffcba78725e92fe49d. --- .github/actions/lambda_artifacts_build/action.yml | 2 -- .github/workflows/daily-scan.yml | 7 +------ 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/actions/lambda_artifacts_build/action.yml b/.github/actions/lambda_artifacts_build/action.yml index dec5d4b33..ee01d2d8c 100644 --- a/.github/actions/lambda_artifacts_build/action.yml +++ b/.github/actions/lambda_artifacts_build/action.yml @@ -27,7 +27,6 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@v4 - name: Build sample lambda function shell: bash working-directory: ${{ inputs.layer_directory }}/sample-apps @@ -39,7 +38,6 @@ runs: ./build-lambda-layer.sh pip install tox tox - - uses: actions/checkout@v4 #v4 - name: Upload Layer to S3 shell: bash run: | diff --git a/.github/workflows/daily-scan.yml b/.github/workflows/daily-scan.yml index 0ffe3a0fa..bc699bdae 100644 --- a/.github/workflows/daily-scan.yml +++ b/.github/workflows/daily-scan.yml @@ -25,7 +25,6 @@ jobs: scan_and_report: runs-on: ubuntu-latest steps: - # - uses: actions/checkout@v4 - name: Checkout repo for dependency scan uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0 with: @@ -36,7 +35,6 @@ jobs: with: python-version: "3.10" - # - uses: actions/checkout@v4 #v4 - name: Create requirements.txt for dependency scan run: | python -m venv env @@ -51,8 +49,6 @@ jobs: java-version: 17 distribution: 'temurin' - - uses: actions/checkout@v4 #v4 - - name: Configure AWS credentials for dependency scan uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0 with: @@ -60,7 +56,7 @@ jobs: aws-region: ${{ env.AWS_DEFAULT_REGION }} - name: Get NVD API key for dependency scan - uses: aws-actions/aws-secretsmanager-get-secrets@2 + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10 id: nvd_api_key with: secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }} @@ -103,7 +99,6 @@ jobs: severity: 'CRITICAL,HIGH' logout: 'false' - - uses: actions/checkout@v4 - name: Perform low image scan if: always() id: low_scan From 8f6c0832bd256ff3884b027199d81d9daff267cb Mon Sep 17 00:00:00 2001 From: Thomas Pierce Date: Mon, 22 Sep 2025 12:45:43 -0700 Subject: [PATCH 7/7] fix Trivy --- .github/actions/image_scan/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml index 31d5a78fe..519f6a708 100644 --- a/.github/actions/image_scan/action.yml +++ b/.github/actions/image_scan/action.yml @@ -32,7 +32,7 @@ runs: run: docker logout public.ecr.aws - name: Run Trivy vulnerability scanner on image - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 with: image-ref: ${{ inputs.image-ref }} severity: ${{ inputs.severity }}