chore: new github action to run security-guardian

[QuantumNeuralCoder]

Issue # (if applicable)

None

Closes #.
None

Reason for this change

• Adds a new tool to run cfn-guard
• Enhances PR linter to find added or updated snapshot templates and run cfn-guard through them for detecting inline broad trust policy

Description of changes

Refer README.md

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Tested on personal fork. Refer QuantumNeuralCoder#6
PR Linter output shows test results.

Checklist

• [ x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 84.00%. Comparing base (74cbe27) to head (b52d3d3).
Report is 35 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #34115      +/-   ##
==========================================
+ Coverage   83.98%   84.00%   +0.01%     
==========================================
  Files         120      121       +1     
  Lines        6976     6984       +8     
  Branches     1178     1179       +1     
==========================================
+ Hits         5859     5867       +8     
  Misses       1005     1005              
  Partials      112      112              

Flag	Coverage Δ
suite.unit	84.00% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	84.00% <ø> (+0.01%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[QuantumNeuralCoder]

Exemption Request since github workflow separately tested on personal fork.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[moelasmar]

since cfn-guard is required, I believe it worth adding a step to install cfn-guard, so we do not need every time we use this GH action to add a step to install it

[moelasmar]

I think the rules set file will be always a local file in the repo, why shall we download it ?

[QuantumNeuralCoder]

Addressed all in latest commit

[moelasmar]

not really following, based on lines 2,3

on:
  pull_request: {}

This action will be invoked whenever the PR got created, synchronized, reopened, updated. So, why we still need to link this action to another flow, what will be the added value

[moelasmar]

at least from my understanding, I do not see that this action do any updates to the PR, so why do we need these permissions. Also, I think the comment on line 20 is not aligning withe the given permissions, since all permissions are read

[moelasmar]

I think this tool is planned to do more checks than running cfn-guard. As I understood, for now it will run cfn-guard against one rule, with a plan to extend these rules.
Also, there is some static check logic is planned to be done on the snapshot templates, that will be done in the tool, and not by cfn-guard.

[moelasmar]

If my understanding is not correct, so I think we do not need to implement this tool in TS, it can be as simple as running a bash script.

[moelasmar]

why we these permissions are needed ?

[QuantumNeuralCoder]

For codecov for this PR. On side note, pull_request_target will run in main branch context. We can only see the gh action once its merged.

[moelasmar]

Thanks Indranil. I am approving the PR, but as we agreed, we need a follow up PR to allow contributors to execute the security guardian tool locally.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: effd556
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.