chore(google-docs-eval): merge to master, add internal docs, fix fast-xml-parser CVEs []#11060
Conversation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ambda URLs Makes it clear to anyone browsing the repo that this is an Applied AI Solutions team eval tool, not a customer app, and surfaces the key ops info (AWS account, deployed endpoints) that was previously only findable via tribal knowledge. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tails from README Adds npm overrides to force fast-xml-parser out of the vulnerable 5.2.5 range pulled in transitively by @aws-sdk/client-bedrock-runtime, resolving CVE-2026-25896 (Critical), CVE-2026-33036 (High), CVE-2026-26278 (High), and CVE-2026-25128 (High). Also removes AWS account numbers, internal hostnames, and Bedrock ARNs from the README — those belong in internal docs, not the public repo. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
| "Properties": { | ||
| "Name": "test-sls-apps-google-docs-eval", | ||
| "EndpointConfiguration": { | ||
| "Types": [ |
There was a problem hiding this comment.
REST API Gateway APIs should be accessible only through private API endpoints
on resource Resources.ApiGatewayRestApi.Properties.EndpointConfiguration.Types
More Details
This rule checks whether APIs created with Amazon API Gateway are configured to use private endpoints, making the APIs accessible only from your Amazon VPC. With private endpoints, traffic to private APIs uses TLSv1.2 and is isolated from the public internet as it does not leave the Amazon network. The private APIs are accessed through interface VPC endpoints for API Gateway. Ensure the API Gateway APIs are accessible only via private endpoints to prevent unnecessary external exposure.
Expected
'Resources.ApiGatewayRestApi.EndpointConfiguration.Types' should contain 'PRIVATE'
Found
'Resources.ApiGatewayRestApi.EndpointConfiguration.Types' does not contain 'PRIVATE'
Security Frameworks: wf-id-3, wf-id-5, wf-id-39, wf-id-1, wf-id-4, wf-id-105, wf-id-13, wf-id-16, deeab6d1-f599-42f1-8f2d-3bab70d9ed09
Rule ID: 71b83995-634b-42dd-b5b8-398f93a57030
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
Summary
This PR brings the
google-docs-evalapp from its long-lived unmerged branch into master. The app is an internal eval tool used by the Applied AI Solutions team (10pines) to score Drive Integration agent runs — it is not customer-facing and will not be published to the Marketplace.Keeping it off master was causing real problems: Wiz couldn't scan the deployed Lambda, and the branch was invisible to the rest of the team (see: Tyler having to hunt for it to fix vulns).
chore/google-docs-eval-wipup to current masternpm overridesto pinfast-xml-parser >= 5.5.6in the Lambda, resolving 4 Wiz findings:All four were transitive via
@aws-sdk/client-bedrock-runtime. The override resolves to5.9.3.Test plan
npm ls fast-xml-parserinapps/google-docs-eval/lambdashows>= 5.5.6fast-xml-parser 5.2.5resolve after next scan following redeploy🤖 Generated with Claude Code