Skip to content

ci: security report workflow disclaimer #36432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 7 commits into from
Dec 18, 2025
Merged

ci: security report workflow disclaimer #36432

mergify merged 7 commits into from
Dec 18, 2025

Conversation

@kumvprat
Copy link
Contributor

@kumvprat kumvprat commented Dec 17, 2025

Fix SQS inline policy guard rule and add experimental disclaimer to security reports

Issue

  • sqs-no-world-accessible-inline.guard was checking incorrect resource type and property path
  • Security report comments lacked disclaimer about experimental status

Solution

Fixed SQS inline policy rule:

  • Changed from checking AWS::SQS::Queue resources to AWS::SQS::QueueInlinePolicy resources per CloudFormation documentation
  • Fixed property path from Properties.QueuePolicy.Statement to Properties.PolicyDocument.Statement
  • Added documentation noting queues without QueueInlinePolicy are secure by default per SQS documentation

Added experimental disclaimer:

  • Security report workflow now appends disclaimer to both static and resolved template result comments
  • Disclaimer indicates feature is experimental and may include false positives

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team December 17, 2025 21:17
@github-actions github-actions bot added the p2 label Dec 17, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Dec 17, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 17, 2025
View reviewed changes
kumvprat and others added 2 commits December 17, 2025 22:22
@kumvprat @github-advanced-security
fix: move pr number to env variable
9bcaed5 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@kumvprat
fix: update security disclaimer in safe manner
720c2b8
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Dec 17, 2025
@kumvprat kumvprat added the pr/do-not-merge This PR should not be merged at this time. label Dec 18, 2025
kumsmrit
kumsmrit reviewed Dec 18, 2025
View reviewed changes
.github/workflows/security-report.yml Outdated
);
if (botComment) {
const disclaimer = '\n\n---\n\n⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. Please review findings carefully.';
Copy link
Contributor

@kumsmrit kumsmrit Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we not providing information about merge from main to avoid findings unrelated to the PR?

Copy link
Contributor Author

@kumvprat kumvprat Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I missed adding that.

Will include it in the disclaimer as well

Copy link
Contributor Author

@kumvprat kumvprat Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the disclaimer

Copy link
Contributor Author

@kumvprat kumvprat Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This how the disclaimer looks like right now
Screenshot 2025-12-18 at 15 13 46

@kumvprat kumvprat removed the pr/do-not-merge This PR should not be merged at this time. label Dec 18, 2025
@mergify
Copy link
Contributor

mergify bot commented Dec 18, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit ddf41ed into main Dec 18, 2025
25 of 26 checks passed
@mergify mergify bot deleted the security_guardian_improvements branch December 18, 2025 14:55
@mergify
Copy link
Contributor

mergify bot commented Dec 18, 2025

Merge Queue Status

✅ The pull request has been merged at 1646c84

This pull request spent 8 seconds in the queue, with no time running CI.
The checks were run in-place.

Required conditions to merge

@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@kumsmrit kumsmrit kumsmrit approved these changes

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kumvprat @kumsmrit @aws-cdk-automation