CICD Boot brings the IaaC security on a new level with it's built in toolsets based on AWS best practices and industry wide standards. It includes Static Application Security Testing (SAST), Dependency Vulnerability Scanning, and AI based vulnerability scanning.
| Security Tool | Type | Status | Limitations | Description |
|---|---|---|---|---|
| AWS CDK NAG | Static Application Security Testing | Enabled | cdk-nag integrates directly into AWS Cloud Development Kit (AWS CDK) applications to provide identification and reporting mechanisms similar to SAST tooling. [] | |
| Amazon CodeGuru Reviewer | Static Application Security Testing | Enabled | Supported with AWS CodeCommit repository only. Verify Pull Requests only and users can by pass |
Amazon CodeGuru Reviewer detect vulnerabilities and automate code reviews with machine-learning powered recommendations. |
| Amazon CodeGuru Security | Static Application Security Testing | Disabled | Amazon CodeGuru Security is in preview release and is subject to change. | Amazon CodeGuru Security is a static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to identify vulnerabilities in your code, provide recommendations on how to fix the identified vulnerabilities, and track the status of the vulnerabilities until closure. |
| Better-NPM-Audit | Dependency Scanning for Vulnerabilities | Enabled | Verifies NPM dependencies | Scans the dependencies for known vulnerabilities CVEs. |
| pip-audit | Dependency Scanning for Vulnerabilities | Enabled | Verifies Python dependencies based on the provided Pipfiles. | Scans the dependencies for known vulnerabilities CVEs. |
| semgrep | Static Security Code Scanner | Enabled | Scans the codebase for vulnerabilities. | |
| shellcheck | Static Security Code Scanner | Enabled | Analyses Shell Scripts | Scans the codebase for vulnerabilities. |
| Bandit | Static Security Code Scanner | Enabled | Analyses Python source codes | Scans the codebase for vulnerabilities. |
cdk-nag integrates directly into AWS Cloud Development Kit (AWS CDK) applications to provide identification and reporting mechanisms similar to SAST tooling.
CDK Nag is applied as a CDK Aspect and it looks for patterns in the CDK Application that may indicate insecure infrastructure. Roughly speaking, it will look for:
- IAM rules that are too permissive (wildcards)
- Security group rules that are too permissive (wildcards)
- Access logs that aren't enabled
- Encryption that isn't enabled
- Password literals
- and many more
The CDK Nag aspect is applied on the CDK application bin/app.ts, and on the AppStages deployed by the CodePipeline lib/cdk-pipeline/app/AppStage.ts as well. This way we suppress warnings which are related to approved risk.
The CDK Nag verification is executed to during the cdk synth phase.
We recommend after you assess the risk of new findings to suppress CDK Nag rules from failing the CDK Deployment in their own dedicated stacks rather than doing it centrally. Please only use the central one for application wide approved suppressions in the utils/suppression.ts, e.g: AWSLambdaBasicExecutionRole
More information about the CDK Nag can be found on these locations:
- AWS CDK NAG
- Manage application security and compliance with the AWS Cloud Development Kit and cdk-nag
The AWS CDK Nag is so essential part to ensure the security of the IaaC project that it is mandatory to use.
Amazon CodeGuru Reviewer detect vulnerabilities and automate code reviews with machine-learning powered recommendations.
Amazon CodeGuru Reviewer is included into pipelines created with AWS CodeCommit as VCS and it is automatically reviews the created Pull Requests and provides actionable recommendations on the changes.
Amazon CodeGuru Reviewer recommendations are available directly on the Pull Requests or on the AWS Console / Amazon CodeGuru / Reviewer / Code Reviews.
The scanning can be enabled/disabled with the AppConfig.repositoryConfig.CODECOMMIT.codeGuruReviewer configuration. If the configuration value is true than it is enabled. If the configuration false then it is disabled.
Amazon CodeGuru Security is a static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to identify vulnerabilities in your code, provide recommendations on how to fix the identified vulnerabilities, and track the status of the vulnerabilities until closure.
Amazon Code Guru is applied on the pipeline as part of the Build stage to ensures the solution security meets with the highest standard. The scanning stops the pipeline in case there is any findings that have higher severity than High default. The threshold level can be adjusted by the AppConfig.codeGuruScanThreshold configuration option.
The Amazon Code Guru findings and recommendations can be found on the AWS Console / Amazon CodeGuru / Security / Findings . The Findings page provides a holistic view about the security recommendations. Information about each Scanning can be found on the AWS Console / Amazon CodeGuru / Security / Scans page.
The scanning can be enabled/disabled with the AppConfig.codeGuruScanThreshold configuration. If the configuration is present than it is enabled. If the configuration is missing the scan will be disabled.
The goal of this project is to provide additional features on top of the existing npm audit options. We hope to encourage more people to do security audits for their projects.
More information about Better NPM Audit.
Remove the audit:deps:nodejs script from the package.json.
pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-database) via the PyPI JSON API as a source of vulnerability reports.
More information about pip-audit.
Remove the audit:deps:python script from the package.json.
Semgrep accelerates your security journey by swiftly scanning code and package dependencies for known issues, software vulnerabilities, and detected secrets with unparalleled efficiency. Semgrep offers:
- Code to find bugs & vulnerabilities using custom or pre-built rules
- Supply Chain to find dependencies with known vulnerabilities
- Secrets to find hard-coded credentials that shouldn't be checked into source code
More information about Semgrep.
Add/remove the semgrep entry to/from the SECURITY_SCANNERS list in the scripts/check-code-scan-security.sh.
ShellCheck is a static analysis tool for shell scripts.
More information about ShellCheck.
Add/remove the shellcheck entry to/from the SECURITY_SCANNERS list in the scripts/check-code-scan-security.sh.
Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes.
More information about Bandit.
Add/remove the bandit entry to/from the SECURITY_SCANNERS list in the scripts/check-code-scan-security.sh.
GitHub Actions executes the enabled security checks as part of the pull requests checks. In case any of the enabled security tool identify a security issue the corresponding check fails and protect the codebase.
For Bandit, Shellcheck, and Semgrep tools the Github Actions integration converts the security findings to Junit and Checkstyle outputs that Github can present in the Files changed tab to help the troubleshooting.
If there is no security findings from these tools:
- the
Checkstyle Source Code Analyzer reportwill report0 violation(s) foundthat means the Shellcheck tool has not found any issue - the
JUnit Test Reportwill reportNo test results found!that means neither the Semgrep nor the Bandit tools have not found any issue
Notice: As the actual security scanning is not part of the Checkstyle Source Code Analyzer or JUnit these reports will report 0s as execution time. The scanning of these tools are executed as part of the Security Scans