feat: add inspector security rule packs#98
Conversation
- add built-in Security Group, RDS, IAM, Secrets Manager, and S3 inspector checks - enrich repository models and S3 client interfaces for new scan coverage - update Inspector UI copy and README to reflect shipped rule packs
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
- use a secrets-specific high-severity threshold for overdue rotation - add regression coverage for medium and high overdue rotation findings
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
- restore IAM access key severity to the IAM high-age constant - restore secrets rotation severity to the secrets high-age constant - tighten boundary tests around the domain-specific thresholds
|
/q review |
There was a problem hiding this comment.
Summary
This PR successfully implements built-in Security Inspector rule packs for AWS resources. The implementation is well-structured with comprehensive test coverage and proper error handling throughout.
Key Changes Reviewed
- Security scanning rules: Implemented checks for Security Groups (SSH/RDP/all-traffic exposure), RDS (encryption, public access, backups), IAM access keys (age-based alerts), Secrets Manager (rotation monitoring), and S3 buckets (public ACLs, policies, versioning)
- Model enrichments: Added essential security-related fields to RDSInstance and Secret models
- Interface extensions: Properly extended S3ClientAPI with required methods for security checks
- Test coverage: Comprehensive unit tests validate all scanner logic and edge cases
Review Result
No blocking defects found. The code is production-ready with:
- ✅ Proper error handling and nil checks
- ✅ Well-tested with table-driven tests
- ✅ Secure implementation of security checks
- ✅ Appropriate severity classifications
- ✅ Clean separation of concerns
The implementation correctly identifies security misconfigurations and provides actionable recommendations to users.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
2 participants
Summary
This PR adds the first built-in Security Inspector rule packs with these checks:
It also enriches the RDS and Secrets models plus the S3 client interface so the scanners can evaluate live AWS state, and it updates Inspector UI copy and README to reflect the shipped rule coverage.
Related Issues
Closes #90
Closes #91
Closes #92
Validation
Checklist