aws · mergify · Dec 5, 2025 · Sep 18, 2025 · Sep 18, 2025 · Oct 28, 2025
diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml
@@ -1,6 +1,6 @@
 name: Security Guardian
 on:
-  pull_request: {}
+  pull_request_target: {}
 
 jobs:
   log-skip:
@@ -34,10 +34,21 @@ jobs:
         run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build
 
       - name: Run Security Guardian
+        id: security-guardian
         uses: ./tools/@aws-cdk/security-guardian
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           head_sha: ${{ github.event.pull_request.head.sha }}
           rule_set_path: './tools/@aws-cdk/security-guardian/rules'
-          show_summary: 'fail'
-          output_format: 'json'
+      - name: Save PR info for security-report
+        if: always()
+        run: |
+          echo "${{ github.event.pull_request.number }}" > ./test-results/pr_number
+          echo "${{ github.event.pull_request.head.sha }}" > ./test-results/pr_sha
+
+      - name: Upload Security Guardian XML Reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: security-guardian-reports
+          path: test-results/
diff --git a/.github/workflows/security-report.yml b/.github/workflows/security-report.yml
@@ -0,0 +1,66 @@
+name: Security Report
+on:
+  workflow_run:
+    workflows: ["Security Guardian"]
+    types: [completed]
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: write
+      id-token: write
+      actions: read
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: security-guardian-reports
+          path: test-results/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          repository: ${{ github.repository }}
+
+      - name: Get PR info
+        id: pr_info
+        run: |
+          echo "pr_number=$(cat test-results/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_sha=$(cat test-results/pr_sha)" >> "$GITHUB_OUTPUT"
+          echo "PR: $(cat test-results/pr_number), SHA: $(cat test-results/pr_sha)"
+      - name: Publish Security Test Results 
+        uses: mikepenz/action-junit-report@v6
+        if: always()
+        with:
+          report_paths: 'test-results/**/cfn-guard-static.xml'
+          check_name: 'Security Guardian Results'
+          exclude_sources: 'node_modules,dist'
+          commit: ${{ steps.pr_info.outputs.pr_sha }}
+          check_annotations: true
+          comment: true
+          pr_id: ${{ steps.pr_info.outputs.pr_number }}
+          detailed_summary: true
+          include_passed: false
+          fail_on_failure: false
+          group_suite: true
+          include_skipped: false
+          check_title_template: '{{TEST_NAME}}'
+
+      - name: Publish Security Test Results for resolved templates
+        uses: mikepenz/action-junit-report@v6
+        if: always()
+        with:
+          report_paths: 'test-results/**/cfn-guard-resolved.xml'
+          check_name: 'Security Guardian Results with resolved templates'
+          exclude_sources: 'node_modules,dist'
+          commit: ${{ steps.pr_info.outputs.pr_sha }}
+          check_annotations: true
+          comment: true
+          pr_id: ${{ steps.pr_info.outputs.pr_number }}
+          detailed_summary: true
+          include_passed: false
+          fail_on_failure: false
+          group_suite: true
+          include_skipped: false
+          check_title_template: '{{TEST_NAME}}'
diff --git a/tools/@aws-cdk/security-guardian/README.md b/tools/@aws-cdk/security-guardian/README.md
@@ -4,6 +4,8 @@ A GitHub Action and CLI tool that helps detect broadly scoped IAM principals in
 
 - Validating **changed** `*.template.json` files in pull requests using custom [cfn-guard v3](https://github.com/aws-cloudformation/cloudformation-guard) rules.
 - Detecting **broadly scoped IAM principals** using CloudFormation **intrinsic functions** (e.g., `Fn::Join` with `:root`).
+- **Cross-account wildcard detection** - Flags dangerous patterns like `"*"` or `"arn:aws:iam::*:root"`.
+- **Extensible exemption system** - Smart exemptions for AWS service default policies.
 
 ---
 
@@ -12,32 +14,92 @@ A GitHub Action and CLI tool that helps detect broadly scoped IAM principals in
  Validates **only changed** templates in a PR  
  Supports **cfn-guard v3** with rule sets  
  Scans for **broad IAM principals using intrinsics**  
+ **Flags cross-account wildcards** - Always dangerous  
+ **Extensible exemptions** for AWS service defaults  
+ **Future-proof validation** - Detects when AWS changes default policies  
  Runs locally and in GitHub Actions  
  Outputs human-readable and machine-parsable summaries
 
 ---
 
+## Security Checks
+
+### Rule Organization
+Guard rules are organized in service-specific directories for granular control:
+
+```
+rules/
+├── codepipeline/
+│   └── cross-account-role-trust-scope.guard
+├── documentdb/
+│   └── encryption-enabled.guard
+├── ec2/
+│   ├── ebs-encryption-enabled.guard
+│   └── no-open-security-groups.guard
+├── guard-hooks/
+│   └── no-root-principals-except-kms-secrets.guard
+├── iam/
+│   ├── no-overly-permissive-passrole.guard
+│   ├── no-wildcard-actions.guard
+│   ├── no-world-accessible-trust-policy.guard
+│   ├── policy-no-broad-principals.guard
+│   └── role-no-broad-principals.guard
+├── s3/
+│   ├── encryption-enabled.guard
+│   ├── no-world-readable.guard
+│   └── secure-transport.guard
+└── [other services...]
+```
+
+### Always Flagged (High Risk)
+- **Cross-account wildcards**: `"*"` or `"arn:aws:iam::*:root"`
+- **Custom policies with root access**: Non-default policies granting root
+- **Broad principals in sensitive resources**: IAM roles, S3 buckets, etc.
+
+### Smart Exemptions (Configurable)
+- **AWS KMS default policies**: Standard root access for IAM integration
+- **Individual rule control**: Enable/disable specific rules per service
+- **Metadata-based suppression**: Use CDK metadata to suppress specific rules
+
+---
+
 ## Inputs (GitHub Action)
 
-| Name             | Description                                          | Required | Default               |
-|------------------|------------------------------------------------------|----------|-----------------------|
-| `rule_set_path`  | Local path to the cfn-guard rules file               | No       | `./rules`             |
-| `show_summary`   | Show summary (`none`, `all`, `pass`, `fail`, `skip`) | No       | `fail`                |
-| `output_format`  | Output format (`single-line-summary`, `json`, etc.)  | No       | `single-line-summary` |
-| `base_sha`       | Commit SHA to compare against                        | No       | `origin/main`         |
-| `head_sha`       | The commit SHA for the head (current) branch or PR   | No       | `HEAD`                |
+| Name            | Description                               | Required | Default       |
+|-----------------|-------------------------------------------|----------|---------------|
+| `rule_set_path` | Local path to the cfn-guard rules file   | Yes      | N/A           |
+| `base_sha`      | Commit SHA to compare against             | No       | `origin/main` |
+| `head_sha`      | The commit SHA for the head branch or PR | No       | `HEAD`        |
+| `enhance_xml`   | Enable XML enhancement for individual failure annotations | No | `true` |
+
+## Outputs (GitHub Action)
+
+| Name         | Description                               |
+|--------------|-------------------------------------------|
+| `junit_files`| Comma-separated list of JUnit XML files  |
+| `all_passed` | Whether all validations passed            |
 
 ---
 
 ## Usage (GitHub Action)
 
 ```yaml
 - name: Run Security Guardian
+  id: security-guardian
   uses: ./tools/@aws-cdk/security-guardian
   with:
     rule_set_path: './tools/@aws-cdk/security-guardian/rules'
-    show_summary: 'fail'
-    output_format: 'single-line-summary'
+    enhance_xml: 'true'  # Optional: Enable individual failure annotations (default: true)
+
+- name: Publish Security Test Results
+  uses: mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6  # v6.0.1
+  if: always()
+  with:
+    report_paths: 'test-results/*.xml'
+    check_name: 'Security Guardian Results'
+    detailed_summary: true
+    include_passed: true
+    fail_on_failure: true
 ```
 
 ---
@@ -58,32 +120,90 @@ yarn security-guardian
 
 > You can override defaults using:
 > - `--base_sha=origin/main`  
-> - `--output_format=json`  
-> - `--show_summary=warn`
+> - `--rule_set_path=./custom-rules`
 
 ---
 
 ## Output
 
-In addition to validation results from `cfn-guard`, the tool logs detailed findings from the intrinsic scan (if applicable), such as:
+The tool generates JUnit XML reports that can be consumed by GitHub Actions:
+
+- `test-results/cfn-guard-static.xml` - Results from original templates
+- `test-results/cfn-guard-resolved.xml` - Results from templates with resolved intrinsics
+
+Use `mikepenz/action-junit-report@e08919a3b1fb83a78393dfb775a9c37f17d8eea6` (v6.0.1) to display rich test results in GitHub PRs with:
+- **Enhanced failure messages** - Automatically parses and formats concatenated CFN Guard failures
+- **Precise line numbers** - Exact file locations for each violation
+- **Resource identification** - Clear resource names and property paths
+- **Rule descriptions** - Detailed explanations and remediation guidance
 
+### Enhanced Failure Formatting
+
+The tool automatically enhances CFN Guard failure messages by:
+- Splitting concatenated failure messages into individual violations
+- Extracting exact line numbers and column positions
+- Identifying specific CloudFormation resources and properties
+- Formatting output for better readability in CI/CD reports
+
+**Before (Raw CFN Guard Output):**
+```
+IAM_NO_WILDCARD_ACTIONS_INLINE for Type: ResolvedCheck was not compliant as property [Policies[*].PolicyDocument.Statement[*]] is missing. Value traversed to [Path=/Resources/Role1/Properties[L:324,C:20]]Check was not compliant as property [Policies[*].PolicyDocument.Statement[*]] is missing. Value traversed to [Path=/Resources/Role2/Properties[L:485,C:20]]
+```
+
+**After (Enhanced Format):**
+```
+Rule: IAM_NO_WILDCARD_ACTIONS_INLINE (Type: ResolvedCheck)
+==================================================
+
+1. Resource: Role1
+   Location: Line 324, Column 20
+   Property: Policies[*].PolicyDocument.Statement[*]
+   Issue: is missing.
+
+2. Resource: Role2
+   Location: Line 485, Column 20
+   Property: Policies[*].PolicyDocument.Statement[*]
+   Issue: is missing.
 ```
-detailed_output File: changed_templates/example.template.json
-{
-  "Action": "kms:*",
-  "Effect": "Allow",
-  "Principal": {
-    "AWS": {
-      "Fn::Join": [
-        "",
-        ["arn:", { "Ref": "AWS::Partition" }, ":iam::", { "Ref": "AWS::AccountId" }, ":root"]
-      ]
-    }
-  },
-  "Resource": "*"
+
+---
+
+## Suppressing Rules
+
+For integration tests or specific resources that generate false positives, you can suppress individual rules using CDK metadata:
+
+```typescript
+import { Bucket } from 'aws-cdk-lib/aws-s3';
+import { Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+
+export class MyTestStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+
+    const testBucket = new Bucket(this, 'TestBucket', {
+      autoDeleteObjects: true,
+      removalPolicy: RemovalPolicy.DESTROY,
+    });
+
+    // Suppress S3 encryption rule for integration test
+    testBucket.node.addMetadata('guard', {
+      SuppressedRules: ['S3_ENCRYPTION_ENABLED']
+    });
+  }
 }
 ```
 
+**Available Rules to Suppress:**
+- `S3_ENCRYPTION_ENABLED`
+- `IAM_ROLE_NO_BROAD_PRINCIPALS` 
+- `IAM_NO_WILDCARD_ACTIONS`
+- `NO_ROOT_PRINCIPALS_EXCEPT_KMS_SECRETS`
+- `EBS_ENCRYPTION_ENABLED`
+- `SNS_ENCRYPTION_ENABLED`
+- `SQS_ENCRYPTION_ENABLED`
+- And others (see individual `.guard` files in service subdirectories)
+
 ---
 
 ## Acknowledgments

diff --git a/tools/@aws-cdk/security-guardian/action.yml b/tools/@aws-cdk/security-guardian/action.yml
@@ -2,20 +2,25 @@ name: 'Security Guardian'
 description: 'Security Guardian for custom or granular guard rules'
 
 inputs:
-  data_directory:
-    description: "Path to CloudFormation templates"
-    required: true
+  base_sha:
+    description: "Base commit id"
+    required: false
+  head_sha:
+    description: "Current changes commit id"
+    required: false
   rule_set_path:
     description: "Path to a single .guard file locally"
     required: true
-  show_summary:
-    description: "cfn-guard summary output. Options are all, pass, fail, skip or none"
+  enhance_xml:
+    description: "Enable XML enhancement for individual failure annotations"
     required: false
-    default: "fail"
-  output_format:
-    description: "cfn-guard output format. Options: json, yaml, single-line-summary"
-    required: false
-    default: "single-line-summary"
+    default: 'true'
+
+outputs:
+  junit_files:
+    description: "Comma-separated list of JUnit XML files"
+  all_passed:
+    description: "Whether all validations passed"
 
 runs:
   using: node20