awslabs · dheerajoruganty · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
diff --git a/.ash.yaml b/.ash.yaml
@@ -0,0 +1,69 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/awslabs/automated-security-helper/refs/heads/main/automated_security_helper/schemas/AshConfig.json
+
+project_name: amazon-bedrock-agentcore-samples
+
+global_settings:
+  severity_threshold: MEDIUM
+  fail_on_findings: false  # Don't fail CI, just report
+  ignore_paths: []
+
+scanners:
+  bandit:
+    enabled: true
+    options:
+      confidence_level: MEDIUM
+      severity_level: medium
+
+  semgrep:
+    enabled: true
+    options:
+      rules: ['p/ci', 'p/security-audit']
+      timeout: 300
+
+  detect-secrets:
+    enabled: true
+    options:
+      exclude_lines: []
+
+  checkov:
+    enabled: true
+    options:
+      framework: ['all']
+
+  cfn-nag:
+    enabled: true
+
+  cdk-nag:
+    enabled: true
+    options:
+      nag_packs: ['AWS_SOLUTIONS']
+
+  npm-audit:
+    enabled: true
+    options:
+      audit_level: moderate
+
+  grype:
+    enabled: true
+    options:
+      severity: medium
+
+  syft:
+    enabled: true
+
+reporters:
+  markdown:
+    enabled: true
+    options:
+      include_detailed_findings: true
+      max_detailed_findings: 1000  # Show all findings instead of default 20
+
+  json:
+    enabled: true
+    options:
+      pretty_print: true
+
+  sarif:
+    enabled: true
+    options:
+      include_help_uri: true
diff --git a/.github/workflows/ash-full-repository-scan.yml b/.github/workflows/ash-full-repository-scan.yml
@@ -0,0 +1,170 @@
+name: ASH Full Repository Scan
+
+on:
+  push:
+    branches: [ main ]
+  schedule:
+    # Run at 2 AM UTC on the 1st of every month
+    - cron: '0 2 1 * *'
+  workflow_dispatch:  # Allow manual triggering
+
+permissions:
+  contents: read
+  security-events: write  # For uploading SARIF results to GitHub Security tab
+
+jobs:
+  full-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+
+      - name: Install ASH
+        run: pip install git+https://github.com/awslabs/[email protected]
+
+      - name: Run ASH full repository scan
+        run: |
+          # Create ASH config for comprehensive scanning
+          cat > .ash_config.yaml << 'EOF'
+          reporters:
+            markdown:
+              enabled: true
+              options:
+                include_detailed_findings: true
+                max_detailed_findings: 1000
+            sarif:
+              enabled: true
+          EOF
+
+          # Run ASH on entire repository
+          ash --mode container --config .ash_config.yaml 2>&1 | tee ash-output.log
+        continue-on-error: true
+
+      - name: Generate scan summary
+        id: scan-summary
+        run: |
+          SUMMARY_FILE="ash-summary.md"
+
+          echo "# ASH Security Scan - Full Repository Report" > "$SUMMARY_FILE"
+          echo "" >> "$SUMMARY_FILE"
+          echo "**Scan Date:** $(date -u +%Y-%m-%dT%H:%M:%S+00:00)" >> "$SUMMARY_FILE"
+          echo "**Trigger:** ${{ github.event_name }}" >> "$SUMMARY_FILE"
+          if [ "${{ github.event_name }}" == "push" ]; then
+            echo "**Commit:** ${{ github.sha }}" >> "$SUMMARY_FILE"
+            echo "**Pushed by:** ${{ github.actor }}" >> "$SUMMARY_FILE"
+          elif [ "${{ github.event_name }}" == "schedule" ]; then
+            echo "**Type:** Monthly scheduled scan" >> "$SUMMARY_FILE"
+          elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            echo "**Type:** Manual trigger by ${{ github.actor }}" >> "$SUMMARY_FILE"
+          fi
+          echo "" >> "$SUMMARY_FILE"
+
+          # Extract and format scan results
+          if [ -f "ash-output.log" ]; then
+            # Find the table boundaries
+            TABLE_START=$(grep -n "ASH Scan Results Summary" ash-output.log | head -1 | cut -d: -f1 || echo "0")
+            TABLE_END=$(grep -n "source-dir:" ash-output.log | head -1 | cut -d: -f1 || echo "0")
+
+            if [ "$TABLE_START" != "0" ] && [ "$TABLE_END" != "0" ] && [ "$TABLE_END" -gt "$TABLE_START" ]; then
+              echo "## Scanner Results Summary" >> "$SUMMARY_FILE"
+              echo "" >> "$SUMMARY_FILE"
+
+              # Convert terminal table to markdown
+              echo "| Scanner | S | C | H | M | L | I | Time | Action | Result | Thresh |" >> "$SUMMARY_FILE"
+              echo "|---------|---|---|---|---|---|---|------|--------|--------|--------|" >> "$SUMMARY_FILE"
+              sed -n "${TABLE_START},${TABLE_END}p" ash-output.log | \
+              sed 's/\x1b\[[0-9;]*m//g' | \
+              grep "^│" | \
+              sed 's/│/|/g' | \
+              sed 's/^ *|/|/' | \
+              sed 's/| *$/|/' >> "$SUMMARY_FILE"
+              echo "" >> "$SUMMARY_FILE"
+            fi
+
+            # Check for findings
+            if grep -q "Actionable findings detected!" ash-output.log; then
+              echo "has_findings=true" >> $GITHUB_OUTPUT
+              echo "**Status:** ⚠️ Security findings detected" >> "$SUMMARY_FILE"
+            else
+              echo "has_findings=false" >> $GITHUB_OUTPUT
+              echo "**Status:** ✅ No security issues found" >> "$SUMMARY_FILE"
+            fi
+          fi
+
+          # Include detailed findings if available
+          if [ -f ".ash/ash_output/reports/ash.summary.md" ]; then
+            echo "" >> "$SUMMARY_FILE"
+            echo "## Detailed Findings" >> "$SUMMARY_FILE"
+            echo "" >> "$SUMMARY_FILE"
+            grep -A 1000 "Detailed Findings" ".ash/ash_output/reports/ash.summary.md" | \
+            grep -v -E '^(Time since scan:|Report generated:)' | \
+            grep -v 'Report generated by Automated Security Helper' >> "$SUMMARY_FILE" || true
+          fi
+
+      - name: Upload ASH results as artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ash-full-scan-${{ github.run_id }}
+          path: |
+            .ash/
+            ash-output.log
+            ash-summary.md
+          retention-days: 90
+
+      - name: Upload SARIF results to GitHub Security
+        if: always() && hashFiles('.ash/ash_output/reports/ash.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: .ash/ash_output/reports/ash.sarif
+          category: ash-security-scan
+
+      - name: Create issue for critical findings (monthly scan only)
+        if: github.event_name == 'schedule' && steps.scan-summary.outputs.has_findings == 'true'
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const summaryPath = 'ash-summary.md';
+
+            if (fs.existsSync(summaryPath)) {
+              const summaryContent = fs.readFileSync(summaryPath, 'utf8');
+
+              // Create issue for monthly scan findings
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: `🔒 ASH Security Scan - Monthly Report (${new Date().toISOString().split('T')[0]})`,
+                body: summaryContent + '\n\n---\n*This issue was automatically created by the monthly security scan workflow.*',
+                labels: ['security', 'automated-scan']
+              });
+            }
+
+      - name: Job summary
+        if: always()
+        run: |
+          echo "## ASH Security Scan Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          if [ -f "ash-summary.md" ]; then
+            cat ash-summary.md >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No scan summary available." >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "---" >> $GITHUB_STEP_SUMMARY
+          echo "*Full scan results are available in the [workflow artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})*" >> $GITHUB_STEP_SUMMARY
+
+          if [ "${{ steps.scan-summary.outputs.has_findings }}" == "true" ]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "⚠️ **Action Required:** Security findings were detected. Please review the results and address any critical issues." >> $GITHUB_STEP_SUMMARY
+          fi
diff --git a/.github/workflows/ash-security-comment.yml b/.github/workflows/ash-security-comment.yml
@@ -0,0 +1,131 @@
+name: ASH Security Scan - Post Comments
+
+on:
+  workflow_run:
+    workflows: ["ASH Security Scan"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ash-security-results
+          path: /tmp/ash-results
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get PR information
+        id: pr-info
+        run: |
+          if [ -f /tmp/ash-results/pr_number.txt ]; then
+            PR_NUMBER=$(cat /tmp/ash-results/pr_number.txt)
+            echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT
+            echo "Found PR number: ${PR_NUMBER}"
+          else
+            echo "No PR number found in artifacts"
+            exit 1
+          fi
+
+          if [ -f /tmp/ash-results/pr_sha.txt ]; then
+            PR_SHA=$(cat /tmp/ash-results/pr_sha.txt)
+            echo "pr_sha=${PR_SHA}" >> $GITHUB_OUTPUT
+            echo "Found PR SHA: ${PR_SHA}"
+          fi
+
+      - name: Post comment on PR
+        if: steps.pr-info.outputs.pr_number
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const fs = require('fs');
+            const commentPath = '/tmp/ash-results/pr_comment.md';
+
+            if (!fs.existsSync(commentPath)) {
+              console.log('No comment file found in artifacts');
+              return;
+            }
+
+            const commentBody = fs.readFileSync(commentPath, 'utf8');
+            const prNumber = parseInt('${{ steps.pr-info.outputs.pr_number }}');
+            const prSha = '${{ steps.pr-info.outputs.pr_sha }}';
+
+            if (!prNumber) {
+              console.log('Invalid PR number');
+              return;
+            }
+
+            // Get existing comments
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+
+            // Find ALL ASH security scan comments
+            const ashComments = comments.filter(comment => 
+              comment.user.type === 'Bot' && 
+              (comment.body.includes('<!-- ASH-SECURITY-SCAN-COMMENT -->') ||
+               comment.body.includes('## Security Scan Results') ||
+               comment.body.includes('Latest scan for commit:') ||
+               comment.body.includes('ASH Security Scan Report'))
+            );
+
+            console.log(`Found ${ashComments.length} ASH security scan comments`);
+
+            // Use the most recent ASH comment (highest ID = most recent)
+            const existingComment = ashComments.length > 0 ? 
+              ashComments.sort((a, b) => b.id - a.id)[0] : null;
+
+            // Delete any duplicate/older ASH comments (keep only the most recent one)
+            if (ashComments.length > 1) {
+              console.log(`Cleaning up ${ashComments.length - 1} duplicate ASH comments`);
+              for (const comment of ashComments.slice(1)) {
+                try {
+                  await github.rest.issues.deleteComment({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    comment_id: comment.id,
+                  });
+                  console.log(`Deleted duplicate comment ${comment.id}`);
+                } catch (error) {
+                  console.log(`Failed to delete comment ${comment.id}: ${error.message}`);
+                }
+              }
+            }
+
+            // Add commit and timestamp info to the body
+            const timestamp = new Date().toISOString().replace('T', ' ').substring(0, 19) + ' UTC';
+            const shortSha = prSha ? prSha.substring(0, 7) : 'unknown';
+            const enhancedBody = `**Latest scan for commit:** \`${shortSha}\` **| Updated:** ${timestamp}\n\n${commentBody}\n\n<!-- ASH-SECURITY-SCAN-COMMENT -->`;
+
+            if (existingComment) {
+              // Update existing comment
+              console.log(`Updating existing comment ${existingComment.id}`);
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existingComment.id,
+                body: enhancedBody
+              });
+              console.log('Successfully updated existing ASH security scan comment');
+            } else {
+              // Create new comment
+              console.log('No existing ASH comment found, creating new one');
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: enhancedBody
+              });
+              console.log('Successfully created new ASH security scan comment');
+            }