Skip to content

feat(ci): security guardian changes #36110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 51 commits into
base: main
Choose a base branch
from
Open

feat(ci): security guardian changes #36110

wants to merge 51 commits into from

Conversation

@kumvprat
Copy link
Contributor

@kumvprat kumvprat commented Nov 19, 2025

Issue # (if applicable)

N/A - Enhancement and bug fixes for Security Guardian tool.

Reason for this change

Security guardian is first line of defense for scanning policy, roles and permissions vended by CDK for customers. This GH Action is critical to determine if a PR change is providing secure-by-default policies for any changes introduced in CDK.

The Security Guardian tool needed several critical improvements to function properly:

  1. CFN Intrinsic Resolution: Missing comprehensive support for CloudFormation intrinsic functions like Fn::Sub, Fn::Select, Fn::Contains, etc.
  2. Rule Coverage: Incomplete security rule coverage across AWS services
  3. Create noise: Current setup of security guardian does not provide benefit as it fails to exclude cases where the generic cfn-guard rule might not work. Like with KMS secrets or secret manager secrets

Description of changes

Added template preprocessing pipeline with intrinsic resolution and policy normalization, details can be found below

Major Enhancements:

  • Complete CFN Intrinsic Function Resolver: Added comprehensive support for all CloudFormation intrinsic functions including Fn::Sub with literal escaping, Fn::Select with bounds checking, Fn::Contains, Fn::Split, Fn::Cidr, Fn::Base64, and shorthand forms (!Ref, !GetAtt, etc.)
  • Cross-Stack Resolution: Implemented resource registry for resolving Fn::ImportValue and cross-template references
  • Policy Normalization: Added IAM policy normalizer to resolve intrinsics within policy documents before validation
  • Output presentation: Integrated JUnit XML output with GitHub Actions using pinned mikepenz/action-junit-report for rich PR feedback ( suggested by cfn-guard here)
  • Security report generation workflow : Separated out report generation into another workflow due to 2 reasons :
    • Gives us flexibility to change the trigger type for security-guardian to lower permissive trigger likepull_request or pull_request_review
    • Allows fork PRs to run : Fork PRs trigger workflow runs with read permissions, and the separate workflow can execute separate from the fork PR call chain with full permissions needed to update checks and annotation on the PR

Security Rule Expansion:

  • Added comprehensive guard rules for 13 AWS services: CodePipeline, DataTrace, DocumentDB, EC2, IAM, Kinesis, Neptune, Redshift, S3, SNS, SQS, and trust scope validation
  • Enhanced existing rules with better coverage for broad principals, wildcard actions, and cross-account access patterns

Describe any new or updated permissions being added

No new IAM permissions required. All changes are to the static analysis tool and GitHub Actions workflow.

Description of how you validated changes

Unit Testing: via

  • Guard Rule Syntax: All 13 guard rule files pass cfn-guard v3 parser validation
  • Cross-Stack Testing: Validated resolution of Fn::ImportValue and cross-template references
  • Example cases to test that the current set of rules PASS and FAIL for different scenarios

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@kumvprat
feat: Changed intrinsic scanner in security guardian to exempt kms ke…
fe1e34e 
…y default policy from scans
@kumvprat
feat: Modified rules for catching more broad policies + changed intri…
bd14fd3 
…nsic scanner code to exempt some services from root principal check
@kumvprat
feat: Adding security guardian new rules and disabling intrinsic scan…
9f0e606 
…ner by default till it runs consistenly and changing workflow to run on pull_request_target
@kumvprat
Merge branch 'main' into security_guardian_changes
648b4e1
@kumvprat
feat: Removed ecr image checks + reverted back for cfn guard to show …
ae8fc97 
…summary and output as provided in the tool invocation arguments + Removed s3 bucket versioning requirement + data trace checks only have private key and aws access key id checks
@kumvprat
feat: Added cfn template resolution logic to resolve intrinsic functi…
d4893bd 
…ons + added tests to cover that logic
@kumvprat
feat: Added cfn template resolution logic to resolve intrinsic functi…
6f872d5 
…on : Not and contains with tests + made the resolution function modular
@kumvprat
feat: Added code comments to explain the various intrinsic functions …
2250e2f 
…being resolved by the custom resolver + removed malformed template checks as cdk should always produced a valid template + added policy resolution tests
@kumvprat
feat(security-guardian): enhance CFN intrinsic resolution and add com…
d2db463 
…prehensive tests + Fix Fn::Sub literal escaping and parameter resolution + Add shorthand form support (etc.) + Improve Fn::Select bounds checking + Add comprehensive test coverage for guard rules and intrinsic functions
@kumvprat
feat: using junit format of cfn-guard to generate junit related test …
9bfee59 
…results + changes in security guardian workflow to parse the junit files + removed test.sh + fix faulty guard rules + added action to consume and publish junit result
@kumvprat
feat: Fixed with proper use of result piping from cfn guard output
02ae206
@kumvprat
chore: deleting yarn.lock file
3adada6
@kumvprat
Merge branch 'main' into security_guardian_changes
250e5b9
@kumvprat
feat: Added a complient cfn template + tests to check successful runs…
f92685f 
… of scfn guard runs
@kumvprat
feat: Using unnormalized check of policy normalizer to ensure all the…
23977ae 
… fields in a policy are targeted for normalization
@kumvprat
fix: config changes for junit publishing action(group by suites)
51733b3
@kumvprat
fix: Fixing testsuite name in the junit report generated by security …
f3d4ad1 
…guardian
@kumvprat
feat: abstract out postProcessXml function
f379db6
@kumvprat
feat: restore security-critical resource attributes for accurate poli…
2a13551 
…cy validation
@kumvprat
fix: copy name attribute to file attribute in testsuite since the jun…
e86ada3 
…it action report GH action looks for file attribute
@kumvprat
fix: Logic to handled file name mapping and returning the mapping ins…
948717a 
…tead oif implementing a reversible function => Works for unresolved cfn temapates
@kumvprat
fix: Logic to handled file name mappings and resolving testsuite name…
eaeb476 
… filed + added tests to coer this
@kumvprat
feat: Added logic to convert failure message based on cfn template ty…
b249b28 
…pe being processed
@kumvprat
feat: Using proper summary table in GH workflow
4baf2a1
@kumvprat
feat: Eanble annotation update rather than new ones
3145e90
@kumvprat
feat: Added logic to creat 2 set ofsumaaries and use exact chagens in…
b594d29 
… a PR rather than cehckout action based merge commit
@kumvprat
fix: Added checks in no-root-principals guard rule that checks for sp…
fcb058b 
…ecific object inside Properties and only triggers rule when the changes exists + test changes
@kumvprat
fix: Added checks in no-root-principals guard rule that checks for sp…
5ede549 
…ecific object inside Properties and only triggers rule when the changes exists + test changes
@kumvprat
feat: Add example for suppressing a guard rule
0309483
@kumvprat
fix: Removing datatrace.guard as it's source of lot of false positives
8af6924
@kumvprat
feat: Uploading junit xmls as artifacts so that they can be used by m…
462a413 
…aintainers
@kumvprat
feat: Added functionality to upload artifact and then use it in diffe…
1ea242a 
…rent report generation workflow to add proper annotations
@kumvprat
fix: Removed checkout of specfic commit inside security-report workfl…
c224d48 
…ow as the triggered workflow ispriviliged
@kumvprat
Merge branch 'main' into security_guardian_changes
2066bde
@kumvprat
feat: Fixed the pair of workflows to work with forked repo PRs as wel…
34d2fe9 
…l, the artifact carries the information wiht it
@kumvprat
feat: Fixed the pair of workflows to work with forked repo PRs as wel…
7683e85 
…l, the artifact carries the information wiht it
@kumvprat
feat: Fixed the pair of workflows to work with forked repo PRs as wel…
29fa0d7 
…l, the artifact carries the information wiht it => Pr info capture works with security guardian failure as well
@kumvprat
fix :Unpacking artifacts in a single folder
5b4330c
@kumvprat
fix: Adding an exists check in iam.guard rule
2504bbd
@kumvprat
fix: Remove un-neceassry tests fron guard-rules.test.ts
eb45325
@kumvprat
feat: Added new tests in guard-rules.test.ts to cover the post proces…
7ca1ba2 
…sing xml part as well + some minro changes
@kumvprat
fix: Small changes to iam.guard and also configuring test reporter to…
38093e3 
… always show failed tests only
@kumvprat
chore: Using v6 of the junit action reporter GH action
c541aef
@kumvprat
feat: Moved guard rules to different folder so that junit xml can hav…
3f23a2f 
…e segregated into differet failure tags
@kumvprat
feat: Added a toggable option to enable ehanced processing that conve…
ada630c 
…rts junit xml to a more readable format
@kumvprat
feat: Added a toggable option to enable ehanced processing : Made it …
5f65cbb 
…way simpler
@kumvprat
feat: Added a toggable option to enable ehanced processing : Made it …
b08f061 
…way simpler
@kumvprat
chore: Renamed guard files
63a14c1
@kumvprat
chore: Renamed guard files => Test fixes
339dca7
@github-actions github-actions bot added the p2 label Nov 19, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 19, 2025 17:29
@kumvprat kumvprat changed the title Security guardian changes feat(ci): security guardian changes Nov 19, 2025
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 19, 2025
aws-cdk-automation
aws-cdk-automation requested changes Nov 19, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

@kumvprat
Copy link
Contributor Author

kumvprat commented Nov 19, 2025
edited
Loading

This how a run would look like

image

This is how annotations look on the code

image

@github-actions github-actions bot mentioned this pull request Dec 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

contribution/core This is a PR that came from AWS. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kumvprat @aws-cdk-automation