Feat/exportspage #447
Feat/exportspage #447
Conversation
- Remove hardcoded CloudWatch log group names to prevent deployment conflicts - Add descriptive CloudFormation output descriptions for better resource identification - Remove unused Names import and logGroupName parameters - Add CDK-nag rule to enforce dynamic log group naming - Set default values for CloudFormation template parameters
- Modified CDK configuration constants and local deployment settings - Enhanced WAF construct and pipeline configuration - Improved status updater function and utility functions - Refined workshop nag pack rules - Added complete exports management system with Python script, dashboard template, and documentation - Updated CodeBuild deployment template
ASH Security Scan Report
Scan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies:
Top 10 HotspotsFiles with the highest number of security findings:
Detailed FindingsShow 20 of 64 actionable findingsFinding 1: CKV_AWS_111
Description: Code Snippet: Finding 2: CKV_DOCKER_2
Description: Code Snippet: Finding 3: CKV_DOCKER_3
Description: Code Snippet: Finding 4: CKV_DOCKER_7
Description: Code Snippet: Finding 5: CKV_DOCKER_2
Description: Code Snippet: Finding 6: CKV_DOCKER_3
Description: Code Snippet: Finding 7: CKV_DOCKER_2
Description: Code Snippet: Finding 8: CKV_DOCKER_3
Description: Code Snippet: Finding 9: CKV_DOCKER_2
Description: Code Snippet: Finding 10: CKV_DOCKER_2
Description: Code Snippet: Finding 11: CKV_DOCKER_3
Description: Code Snippet: Finding 12: CKV_DOCKER_3
Description: Code Snippet: Finding 13: CKV_DOCKER_2
Description: Code Snippet: Finding 14: CKV2_GHA_1
Description: Finding 15: CKV2_GHA_1
Description: Finding 16: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 17: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 18: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 19: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet: Finding 20: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description: Code Snippet:
Report generated by Automated Security Helper (ASH) at 2025-10-25T16:54:45+00:00 |
| internal_prefixes = ["AWS::", "CDK::", "cdk-", "CdkBootstrap", "StagingBucket"] | ||
| return any(export_name.startswith(prefix) for prefix in internal_prefixes) | ||
|
|
||
| def _categorize_export(self, export_name: str) -> str: |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 18. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test. We recommend that you simplify this function or break it into multiple functions.
| **S3 upload fails**: Check bucket exists and permissions allow PutObject | ||
|
|
||
| ```bash | ||
| aws s3 ls s3://your-assets-bucket/ |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: your-assets-bucket
| if cloudfront_domain: | ||
| dashboard_url = f"{cloudfront_domain}/workshop-exports/index.html" | ||
| elif assets_bucket: | ||
| dashboard_url = f"https://{assets_bucket}.s3.amazonaws.com/workshop-exports/index.html" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Potential S3 bucket sniping vulnerability detected. This rule has identified S3 bucket references that could be vulnerable to bucket sniping attacks. Bucket sniping occurs when an attacker registers an S3 bucket name after finding it referenced in code but not yet created. This can lead to data exposure, malicious content hosting, or service disruption.
Recommendations:
- Create all referenced S3 buckets immediately
- Use organization-specific prefixes for bucket names
- Verify bucket ownership before use
- Consider using AWS Organizations S3 bucket naming rules
Discovered: workshop-exports
src/cdk/scripts/manage-exports.py
Outdated
| if base_url.startswith("https://"): | ||
| return f"{base_url.rstrip('/')}/{key}" | ||
| else: | ||
| return f"https://{base_url.rstrip('/')}/{key}" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
src/cdk/scripts/manage-exports.py
Outdated
| if export["exportName"] == "WorkshopCloudFrontDomain": | ||
| base_url = export["exportValue"] | ||
| if base_url.startswith("https://"): | ||
| return f"{base_url.rstrip('/')}/{key}" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
src/cdk/scripts/manage-exports.py
Outdated
| ): | ||
| base_url = export["exportValue"] | ||
| if base_url.startswith("https://"): | ||
| return f"{base_url.rstrip('/')}/{key}" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
| logger.info(f"CloudFront URL: {cloudfront_url}") # noqa: E501 | ||
| return cloudfront_url | ||
|
|
||
| return s3_url |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
| return f"{base_url.rstrip('/')}/{key}" | ||
| else: | ||
| # Add https if not present | ||
| return f"https://{base_url.rstrip('/')}/{key}" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
src/cdk/scripts/manage-exports.py
Outdated
| ) -> str: | ||
| """Generate AWS Console URL for the export's resource.""" | ||
| base_url = "https://console.aws.amazon.com/cloudformation/home" | ||
| return f"{base_url}?region={region}#/stacks/stackinfo?stackId={stack_name}" |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Untrusted data must be properly encoded or sanitized before being
incorporated into web page content or used to generate dynamic output.
Failure to do so can result in Cross-Site Scripting (XSS) vulnerabilities,
enabling attackers to inject malicious scripts into the application. These
scripts, when executed in users' browsers, can lead to various security
breaches such as session hijacking, data theft, or unauthorized actions
performed within the victim's session context. To mitigate this risk,
use built-in template escaping mechanisms, HTML escape functions like
html.escape(), or dedicated security libraries such as Bleach.
Learn more: https://owasp.org/www-community/attacks/xss/
* feat: add CodeConnection and Parameter Store integration - Add CodeConnection support for GitHub integration as alternative to S3 source - Implement Parameter Store configuration management for centralized config - Update CONTRIBUTING.md formatting (bullet points, spacing, emphasis) - Add comprehensive documentation for new integration features - Create reusable configuration retrieval script for pipeline steps - Update CloudFormation template with new parameters and IAM permissions - Modify CDK pipeline to support conditional source selection - Add fallback mechanisms for backward compatibility * feat: enhance configuration flexibility and add troubleshooting docs - Add troubleshooting section for CDK bootstrap stack deletion issues - Support environment variables for Parameter Store base path configuration - Add CodeConnection ARN support for GitHub integration - Update workshop template with consistent parameter defaults - Enable conditional source configuration (CodeConnection vs S3) in local deployment * refactor: simplify parameter store configuration management Modified parameter storage approach in AWS Systems Manager Parameter Store from individual key-value parameters to a single parameter containing the complete .env file content. Updated the retrieve-config.sh script to fetch a single parameter instead of using get-parameters-by-path, and modified the CodeBuild deployment template to store the entire .env file as one parameter rather than splitting it into multiple parameters. * feat: implement single parameter approach for Parameter Store integration Updated CodeConnection and Parameter Store integration with single parameter approach. Modified documentation to reflect new CloudFormation-managed parameter creation, updated CDK pipeline to use single parameter path with stack name, and enhanced CodeBuild template to create Parameter Store parameter as CloudFormation resource instead of manual creation. * fix: deployment issues * fix: added tags to initial stack * fix: pipeline error * fix: update environment validation and opensearch pipeline logging - Modified environment variable validation to accept either CONFIG_BUCKET or CODE_CONNECTION_ARN - Reordered CloudWatch log group creation before IAM role definition in OpenSearch pipeline - Fixed log group ARN references in IAM policies to use correct log group name * fix: rolled back log name for opensearch * fix: publish export error * fix: missing permissions for dashboard * fix: unterminated quoete * fix: missing permissions * fix: added shell for export dashboard * feat: enhance CDK infrastructure and deployment scripts - Updated constants configuration in bin/constants.ts - Enhanced asset constructs and petsite microservice - Modified pipeline configuration and status updater function - Significantly expanded manage-exports.py script with 654 additions - Enhanced retrieve-config.sh script with 318 additions - Total changes: 860 additions, 138 deletions across 7 files * feat: added debug flag for scripts * fix: script error handling logic * feat: improved dashboard * fix: missing permissions for dashboard * cicd: removed debug flag * fix: broad permissions for putobject * feat: improved console access links
| """Check if export value appears to be a URL.""" | ||
| return value.startswith(("http://", "https://")) | ||
|
|
||
| def _get_console_url( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
The cyclomatic complexity of this function is 17. By comparison, 98% of the functions in the CodeGuru reference dataset have a lower cyclomatic complexity. This indicates the function has a high number of decisions and it can make the logic difficult to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 661-666 into a separate function.
| logger.info(f"Target regions for scanning: {regions}") | ||
| return regions | ||
|
|
||
| def extract_exports( |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
This function contains 128 lines of code, not including blank lines or lines with only comments, Python punctuation characters, identifiers, or literals. By comparison, 99% of the functions in the CodeGuru reference dataset contain fewer lines of code. Large functions might be difficult to read and have logic that is hard to understand and test.
We recommend that you simplify this function or break it into multiple functions. For example, consider extracting the code block on lines 521-529 into a separate function.
|
|
||
| // Attempt to read from SSM | ||
| try { | ||
| const { SSMClient, GetParameterCommand } = require('@aws-sdk/client-ssm'); |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
We detected that you are importing a module inside a function, which is known as lazy loading. If modules are imported within a function, it might prevent other requests from being handled at a more critical time. We recommend that you load all modules at the beginning of each file, before and outside of any functions.
| log_debug "Attempting to retrieve parameter from SSM..." | ||
|
|
||
| local ssm_output | ||
| local ssm_error |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
ssm_error appears unused. Verify use (or export if used externally).
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Configuration file contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat "$TARGET_ENV_FILE" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
| if [[ "$LOG_LEVEL" == "DEBUG" ]]; then | ||
| log_debug "Existing .env contents:" | ||
| log_debug "----------------------------------------------" | ||
| cat ".env" | sed 's/\(.*=\).*/\1[REDACTED]/' >&2 |
There was a problem hiding this comment.
Recommendation generated by Amazon CodeGuru Reviewer. Leave feedback on this recommendation by replying to the comment or by reacting to the comment using emoji.
Unnecessary use of 'cat' in shell scripts, can lead to inefficient code and reduced script performance. Instead of 'cat file | command', use input redirection 'command < file' or pass the filename directly command file when possible. This practice improves script efficiency, especially for commands that benefit from seekable input. It also enhances code readability and maintainability. For more information on secure coding practices, including shell scripting, refer to the OWASP Secure Coding Practices Quick Reference Guide: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/
2 participants
Issue #, if available:
N/A
Description of changes:
Created page for expose exports
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.