Skip to content

test(ci): Create fortify.yml#412

Closed
Pr0methean wants to merge 1 commit intomasterfrom
Pr0methean-patch-3
Closed

test(ci): Create fortify.yml#412
Pr0methean wants to merge 1 commit intomasterfrom
Pr0methean-patch-3

Conversation

@Pr0methean
Copy link
Member

@Pr0methean Pr0methean commented Sep 4, 2025

No description provided.

@Pr0methean
ci: Create fortify.yml
a7f151a 
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
@amazon-q-developer
Copy link
Contributor

amazon-q-developer bot commented Sep 4, 2025

Code review in progress. Analyzing for code quality issues and best practices. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer1 is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command Description
/q <message> Chat with the agent to ask questions or request revisions
/q review Requests an Amazon Q powered code review
/q help Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

  1. Create a .amazonq/rules folder in your project root.
  2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
  3. Write detailed prompts in these files, such as coding standards or best practices.
  4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

  1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Sep 4, 2025

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

amazon-q-developer[bot]
amazon-q-developer bot reviewed Sep 4, 2025
View reviewed changes
Copy link
Contributor

@amazon-q-developer amazon-q-developer bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've reviewed the addition of the Fortify AST workflow file. While it's great to see security scanning being implemented, there are several important security configuration issues that should be addressed:

  1. The workflow currently includes configuration for both Fortify on Demand and Software Security Center, which could lead to confusion and misconfigurations. Choose and implement one approach.
  2. The workflow uses a hardcoded action version instead of a major version tag, potentially missing security updates.
  3. The trigger configuration could lead to duplicate scans on the same code.
  4. Security policy checks are not enforced, which could allow vulnerabilities to slip through.

Please address these concerns to ensure a robust and secure scanning implementation. The workflow will be more effective with these improvements in place.

.github/workflows/fortify.yml
actions: read
contents: read
security-events: write
# pull-requests: write # Required if DO_PR_COMMENT is set to true
Copy link
Contributor

@amazon-q-developer amazon-q-developer bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 [Security Configuration]: The workflow is configured to expose both Fortify on Demand (FoD) and Software Security Center (SSC) configurations simultaneously, which could lead to confusion and potential misconfiguration1. You should choose and configure only one scanning approach - either FoD or SSC, not both.

Footnotes

  1. CWE-16: Configuration - https://cwe.mitre.org/data/definitions/16.html

.github/workflows/fortify.yml
# Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on
# configuration, the Fortify GitHub Action can optionally set up the application version/release, generate
# job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard.
# The Fortify GitHub Action provides many customization capabilities, but in case further customization is
Copy link
Contributor

@amazon-q-developer amazon-q-developer bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 [Security Configuration]: The workflow is using a hardcoded version of the Fortify GitHub Action (ef5539bf4bd9c45c0bd971978f635a69eae55297). While this provides stability, it may miss critical security updates. Consider using the major version tag @v1 to automatically receive security patches while maintaining compatibility.

.github/workflows/fortify.yml
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
Copy link
Contributor

@amazon-q-developer amazon-q-developer bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 [Security Configuration]: The workflow is configured to run on both push and pull_request events targeting the master branch. This could lead to duplicate scans and unnecessary resource usage. Consider running full scans only on push to master and scheduled events, while using lighter security checks for pull requests.

.github/workflows/fortify.yml
sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run
debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan
# is disabled). For SSC, run a Debricked scan and import results into SSC.
env:
Copy link
Contributor

@amazon-q-developer amazon-q-developer bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 [Security Best Practice]: The workflow is not enforcing a minimum security policy check. Setting DO_POLICY_CHECK: true is recommended to fail the pipeline if security policy outcomes indicate critical vulnerabilities1.

Footnotes

  1. CWE-1008: Architectural Concepts - https://cwe.mitre.org/data/definitions/1008.html

@Pr0methean Pr0methean changed the title ci: Create fortify.yml test(ci): Create fortify.yml Sep 4, 2025
@Pr0methean Pr0methean closed this Sep 4, 2025
@Pr0methean
Copy link
Member Author

Pr0methean commented Sep 4, 2025

Closing because this tool requires a Fortify on Demand account and I couldn't find a way to get a free one for OSS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Pr0methean