Skip to content

Add GitHub Actions CI/CD workflows with comprehensive security scanning (ASH), dependency management (Dependabot), and code quality enforcement #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 2, 2025
Merged

Add GitHub Actions CI/CD workflows with comprehensive security scanning (ASH), dependency management (Dependabot), and code quality enforcement #308

merged 5 commits into from
Sep 2, 2025

Conversation

dheerajoruganty
Copy link
Contributor

Amazon Bedrock AgentCore Samples Pull Request

Important

  1. We strictly follow a issue-first approach, please first open an issue
    relating to this Pull Request.
  2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number: N/A

Concise description of the PR

Enhanced GitHub Actions CI/CD workflows with comprehensive security scanning (ASH), dependency management (Dependabot), and code quality
enforcement (Python/JavaScript linting) to improve code security and maintainability across the repository.

User experience

Before:

  • No automated security scanning for vulnerabilities in code
  • No automated dependency vulnerability checking
  • No automated code quality enforcement for Python and JavaScript
  • Manual security review required for all pull requests
  • Inconsistent code formatting and style across the repository

After:

  • ASH Security Scanning: Comprehensive security analysis with accurate scanner status, detailed vulnerability reports, and actionable
    findings
  • Dependabot Integration: Automated dependency vulnerability scanning and update notifications
  • Python Linting: Automated code quality checks for Python files using industry-standard linters
  • JavaScript Linting: Automated code quality checks for JavaScript files with consistent formatting enforcement
  • Professional PR Comments: Single, updating comments with detailed security reports including severity levels, scanner explanations, and
    remediation guidance
  • Complete Test Coverage: Added test files with intentional security vulnerabilities and code quality issues to validate all workflows

Key Workflow Additions:

  1. ASH Security Scan (ash-security-scan.yml):

    • Container-based security scanning with 10+ security tools
    • Shows all findings (not limited to 20)
    • Accurate scanner status (FAILED/PASSED instead of SKIPPED)
    • Comprehensive security reports with explanations

  2. Dependabot (dependabot.yml):

    • Automated dependency vulnerability scanning
    • Regular dependency update notifications

  3. Python Lint (python-lint.yml):

    • Automated Python code quality checks
    • Style enforcement and best practices validation

  4. JavaScript Lint (js-lint.yml):

    • Automated JavaScript code quality checks
    • Consistent formatting and style enforcement

  5. Test Files (ash_test_files/):

    • Security vulnerability test files for validating ASH workflow
    • Code quality test files for validating linting workflows
    • Comprehensive README with testing documentation

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for
    the same update/change?
  • Are you uploading a dataset?
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps
    in your example README?
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project
license.

This covers all the comprehensive changes you've made: ASH security scanning, Dependabot, Python linting, JavaScript linting, and the test files
to validate everything works properly!

@dheerajoruganty
Add Ash, Dependabot, Lint check workflows for Pull Requests
0acb5f4
@dheerajoruganty
Fix ASH workflow: Use pip install and direct ash command
e0c8a04 
Based on official ASH documentation, the correct approach is:
1. Install ASH using pip (not uv tool)
2. Run ash command directly (not via uv tool run)

This follows the GitHub Actions example from the ASH documentation.
@dheerajoruganty
Fix ASH workflow: Install scanner dependencies manually
ea63ccb 
- Install bandit, semgrep, detect-secrets, checkov via pip
- This ensures scanners run instead of being SKIPPED due to missing uv
@dheerajoruganty
Update ASH security scan workflow with container mode and improved co…
67350fb 
…mment management
@dheerajoruganty
Configure ASH container to show all security findings instead of limi…
9fcb400 
…ting to 20
@EashanKaushik EashanKaushik merged commit e721e78 into awslabs:main Sep 2, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EashanKaushik EashanKaushik EashanKaushik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dheerajoruganty @EashanKaushik