-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(codepipeline): add new check codepipeline_project_repo_private
#5915
base: master
Are you sure you want to change the base?
feat(codepipeline): add new check codepipeline_project_repo_private
#5915
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #5915 +/- ##
==========================================
+ Coverage 89.90% 90.06% +0.15%
==========================================
Files 1147 1185 +38
Lines 35608 36421 +813
==========================================
+ Hits 32013 32802 +789
- Misses 3595 3619 +24
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Thank you for the feedback and guidance! I have added the unit tests to cover both the new service and the check. These tests include scenarios for both private and public repositories, as well as checks for multiple repository providers (e.g., GitHub and GitLab). The tests can be found in the following files:
Please let me know if there are any additional scenarios or improvements you'd like me to include. I’d be happy to address them! |
...depipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json
Outdated
Show resolved
Hide resolved
...depipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.metadata.json
Outdated
Show resolved
Hide resolved
class codepipeline_project_repo_private(Check): | ||
def execute(self): | ||
findings = [] | ||
client = boto3.client("codestar-connections") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You cannot use boto3 inside the checks, you will need to create another service class inside codepipeline_service.py
. See Logs
in cloudwatch_service.py
as an example.
configuration=source_info["configuration"], | ||
) | ||
|
||
pipeline.tags = pipeline_info.get("tags", []) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configuration=source_info["configuration"], | |
) | |
pipeline.tags = pipeline_info.get("tags", []) | |
configuration=source_info["configuration"], | |
pipeline.tags=pipeline_info.get("tags", []), | |
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please @yyyy7246, review my comments. Thanks!
fbe0999
to
6dfb8bc
Compare
Hi MrCloudSec, Thank you so much for taking the time to review my pull request and provide such detailed feedback. I truly appreciate your guidance. I have addressed the changes you requested, including:
I also want to clarify the Thank you again for your thorough review and helpful suggestions. If there’s anything else you’d like me to adjust or improve, please let me know. Warm regards, |
prowler/providers/aws/services/codepipeline/codepipeline_service.py
Outdated
Show resolved
Hide resolved
type=source_info["actionTypeId"]["provider"], | ||
location=source_info["configuration"].get("FullRepositoryId", ""), | ||
configuration=source_info["configuration"], | ||
tags=pipeline_info.get("tags", []), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key tags
does not exist, you have to use the API call list_tags_for_resource
...services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, review my comments @yyyy7246
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...services/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
Thank you for the feedback, @MrCloudSec. I've updated the code to use the Please let me know if there's anything else that needs adjustment. Thanks for your guidance! |
|
||
# Get tags using list_tags_for_resource API | ||
try: | ||
tags_response = regional_client.list_tags_for_resource( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, get the tags in a different function as in https://github.com/yyyy7246/prowler/blob/2ebff1bf24040930e33ce59b7d3a2bcfa1f9b68d/prowler/providers/aws/services/sns/sns_service.py#L64
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yyyy7246 and a test for that function in the service test please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yyyy7246 and a test for that function in the service test please.
Hello @MrCloudSec,
I've refactored the code to move the tag retrieval logic into a separate _list_tags_for_resource
function, following the pattern you pointed out in the SNS service. In addition, I've added a dedicated test for this function within the service tests.
Thank you for the feedback—it helped me improve the code structure and testing approach. Please let me know if you have any further suggestions.
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
...ces/codepipeline/codepipeline_project_repo_private/codepipeline_project_repo_private_test.py
Outdated
Show resolved
Hide resolved
mock_response.geturl.return_value = f"https://github.com/{repo_id}" | ||
|
||
def mock_urlopen_side_effect(req, context=None): | ||
if "github.com" in req.get_full_url(): |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
github.com
mock_response.geturl.return_value = f"https://gitlab.com/{repo_id}" | ||
|
||
def mock_urlopen_side_effect(req, context=None): | ||
if "gitlab.com" in req.get_full_url(): |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Context
This PR introduces a critical security enhancement for AWS CodePipeline by implementing automated verification of repository visibility. This check helps organizations protect sensitive deployment configurations and mitigate potential supply chain attack vectors by ensuring the use of private repositories.
Description
The implementation includes:
codepipeline_project_repo_private
that:Example Output
Core components:
codepipeline_client.py
: Client interface implementationcodepipeline_service.py
: Service layer with pipeline state managementcodepipeline_project_repo_private.py
: Main check implementationmetadata.json
: Check specifications and security contextTechnical implementation highlights:
Required Permissions
The check requires the following AWS permissions:
ListPipelines
,GetPipeline
GetConnection
Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.