AgentCore Observability Crew AI Sample #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ASH Full Repository Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| schedule: | |
| # Run at 2 AM UTC on the 1st of every month | |
| - cron: '0 2 1 * *' | |
| workflow_dispatch: # Allow manual triggering | |
| permissions: | |
| contents: read | |
| jobs: | |
| full-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install ASH | |
| run: pip install git+https://github.com/awslabs/[email protected] | |
| - name: Run ASH full repository scan | |
| run: | | |
| # Create ASH config for comprehensive scanning | |
| cat > .ash_config.yaml << 'EOF' | |
| reporters: | |
| markdown: | |
| enabled: true | |
| options: | |
| include_detailed_findings: true | |
| max_detailed_findings: 1000 | |
| EOF | |
| # Run ASH on entire repository | |
| ash --mode container --config .ash_config.yaml 2>&1 | tee ash-output.log | |
| continue-on-error: true | |
| - name: Generate scan summary | |
| id: scan-summary | |
| run: | | |
| SUMMARY_FILE="ash-summary.md" | |
| echo "# ASH Security Scan - Full Repository Report" > "$SUMMARY_FILE" | |
| echo "" >> "$SUMMARY_FILE" | |
| echo "**Scan Date:** $(date -u +%Y-%m-%dT%H:%M:%S+00:00)" >> "$SUMMARY_FILE" | |
| echo "**Trigger:** ${{ github.event_name }}" >> "$SUMMARY_FILE" | |
| if [ "${{ github.event_name }}" == "push" ]; then | |
| echo "**Commit:** ${{ github.sha }}" >> "$SUMMARY_FILE" | |
| echo "**Pushed by:** ${{ github.actor }}" >> "$SUMMARY_FILE" | |
| elif [ "${{ github.event_name }}" == "schedule" ]; then | |
| echo "**Type:** Monthly scheduled scan" >> "$SUMMARY_FILE" | |
| elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then | |
| echo "**Type:** Manual trigger by ${{ github.actor }}" >> "$SUMMARY_FILE" | |
| fi | |
| echo "" >> "$SUMMARY_FILE" | |
| # Extract and format scan results | |
| if [ -f "ash-output.log" ]; then | |
| # Find the table boundaries | |
| TABLE_START=$(grep -n "ASH Scan Results Summary" ash-output.log | head -1 | cut -d: -f1 || echo "0") | |
| TABLE_END=$(grep -n "source-dir:" ash-output.log | head -1 | cut -d: -f1 || echo "0") | |
| if [ "$TABLE_START" != "0" ] && [ "$TABLE_END" != "0" ] && [ "$TABLE_END" -gt "$TABLE_START" ]; then | |
| echo "## Scanner Results Summary" >> "$SUMMARY_FILE" | |
| echo "" >> "$SUMMARY_FILE" | |
| # Convert terminal table to markdown | |
| echo "| Scanner | S | C | H | M | L | I | Time | Action | Result | Thresh |" >> "$SUMMARY_FILE" | |
| echo "|---------|---|---|---|---|---|---|------|--------|--------|--------|" >> "$SUMMARY_FILE" | |
| sed -n "${TABLE_START},${TABLE_END}p" ash-output.log | \ | |
| sed 's/\x1b\[[0-9;]*m//g' | \ | |
| grep "^│" | \ | |
| sed 's/│/|/g' | \ | |
| sed 's/^ *|/|/' | \ | |
| sed 's/| *$/|/' >> "$SUMMARY_FILE" | |
| echo "" >> "$SUMMARY_FILE" | |
| fi | |
| # Check for findings | |
| if grep -q "Actionable findings detected!" ash-output.log; then | |
| echo "has_findings=true" >> $GITHUB_OUTPUT | |
| echo "**Status:** ⚠️ Security findings detected" >> "$SUMMARY_FILE" | |
| else | |
| echo "has_findings=false" >> $GITHUB_OUTPUT | |
| echo "**Status:** ✅ No security issues found" >> "$SUMMARY_FILE" | |
| fi | |
| fi | |
| # Include detailed findings if available | |
| if [ -f ".ash/ash_output/reports/ash.summary.md" ]; then | |
| echo "" >> "$SUMMARY_FILE" | |
| echo "## Detailed Findings" >> "$SUMMARY_FILE" | |
| echo "" >> "$SUMMARY_FILE" | |
| grep -A 1000 "Detailed Findings" ".ash/ash_output/reports/ash.summary.md" | \ | |
| grep -v -E '^(Time since scan:|Report generated:)' | \ | |
| grep -v 'Report generated by Automated Security Helper' >> "$SUMMARY_FILE" || true | |
| fi | |
| - name: Upload ASH results as artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ash-full-scan-${{ github.run_id }} | |
| path: | | |
| .ash/ | |
| ash-output.log | |
| ash-summary.md | |
| retention-days: 90 | |
| - name: Create issue for critical findings (monthly scan only) | |
| if: github.event_name == 'schedule' && steps.scan-summary.outputs.has_findings == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| const summaryPath = 'ash-summary.md'; | |
| if (fs.existsSync(summaryPath)) { | |
| const summaryContent = fs.readFileSync(summaryPath, 'utf8'); | |
| // Create issue for monthly scan findings | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: `🔒 ASH Security Scan - Monthly Report (${new Date().toISOString().split('T')[0]})`, | |
| body: summaryContent + '\n\n---\n*This issue was automatically created by the monthly security scan workflow.*', | |
| labels: ['security', 'automated-scan'] | |
| }); | |
| } | |
| - name: Job summary | |
| if: always() | |
| run: | | |
| echo "## ASH Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ -f "ash-summary.md" ]; then | |
| cat ash-summary.md >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "No scan summary available." >> $GITHUB_STEP_SUMMARY | |
| fi | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "---" >> $GITHUB_STEP_SUMMARY | |
| echo "*Full scan results are available in the [workflow artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})*" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ steps.scan-summary.outputs.has_findings }}" == "true" ]; then | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "⚠️ **Action Required:** Security findings were detected. Please review the results and address any critical issues." >> $GITHUB_STEP_SUMMARY | |
| fi |