Skip to content

Remove git dependency from CodeBuild deployment script#91

Merged
kaleko merged 1 commit into
mainfrom
fix/codebuild-remove-git-dependency
Jun 11, 2026
Merged

Remove git dependency from CodeBuild deployment script#91
kaleko merged 1 commit into
mainfrom
fix/codebuild-remove-git-dependency

Conversation

@razkenari

@razkenari razkenari commented Apr 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

The current deploy-with-codebuild.py uses git ls-files but silently depends on git and drops untracked files. Cleanup is also unconditional and always leaves the CodeBuild project behind, and the build fails on ARM64 because CedarPolicyLambda bundles for linux/amd64.

Solution

Keep git-based packaging but make it explicit, tie resource teardown to the build result, and fix the architecture mismatch.

Changes:

  • Package only git-tracked/staged files; warn on untracked files instead of dropping them, and require git explicitly
  • Tear down all resources (bucket, IAM role, boundary, project) on a successful build; retain them with console/log links on failure for debugging and reuse
  • Add a 1-day object-expiry rule on the source bucket
  • Set CedarPolicyLambda to ARM_64 to match FeedbackLambda and the ARM64 build host
  • Update scripts/README.md and docs/DEPLOYMENT.md

@github-actions

github-actions Bot commented Apr 18, 2026
edited
Loading

Copy link
Copy Markdown

Latest scan for commit: e509c01 | Updated: 2026-06-10 21:53:50 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-06-10T21:53:38+00:00
  • ASH version: 3.2.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 0 0 0 0 0 761ms 0 PASSED MED (g)
cdk-nag 0 0 0 0 0 0 6.8s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 6ms 0 PASSED MED (g)
checkov 0 0 0 0 0 0 5.0s 0 PASSED MED (g)
detect-secrets 0 0 0 0 0 0 717ms 0 PASSED MED (g)
grype 0 0 0 0 0 0 48.5s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 169ms 0 PASSED MED (g)
opengrep 10 0 0 0 0 0 17.4s 0 PASSED MED (g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED (g)
syft 0 0 0 0 0 0 1.9s 0 PASSED MED (g)

@razkenari razkenari force-pushed the fix/codebuild-remove-git-dependency branch from 19a4f58 to e103c91 Compare April 20, 2026 20:54
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Apr 20, 2026
@razkenari razkenari force-pushed the fix/codebuild-remove-git-dependency branch from e103c91 to 7c19e2e Compare April 20, 2026 21:02
@razkenari razkenari marked this pull request as ready for review April 20, 2026 21:05
@razkenari razkenari requested a review from a team April 20, 2026 21:05
brianz
brianz reviewed Apr 20, 2026
View reviewed changes

@brianz brianz left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small comment but otherwise I trust that this is a good change.

Comment thread docs/DEPLOYMENT.md Outdated

### Option B: Deploy via CodeBuild

Requires only Python 3.8+ and AWS CLI — no Node.js, Docker, or CDK needed.

@brianz brianz Apr 20, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update this to a more modern Python version. I believe other docs state python 3.11+. 3.8 is EOL and released almost 7 years ago.

@razkenari razkenari Apr 21, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, updated to 3.11+ consistent with the rest of the project.

@razkenari razkenari force-pushed the fix/codebuild-remove-git-dependency branch from 848ccd7 to 7257716 Compare April 22, 2026 00:59
@razkenari
fix(deploy): package tracked files only, ephemeral CodeBuild resources
e509c01 
Rework the CodeBuild deployment script to drop the silent git dependency and tighten resource lifecycle:

- Package only git-tracked/staged files via 'git ls-files'; warn about untracked files instead of silently dropping or over-including them. Require git rather than falling back to a filesystem walk.
- Create the source bucket, IAM role, permission boundary, and CodeBuild project per run; tear them all down on a successful build and retain them (with console/log links) on failure for debugging and reuse.
- Add a 1-day object-expiry lifecycle rule on the source bucket so a retained archive can't linger.
- Remove the separate cleanup-codebuild-project.py (teardown is built in).
- Set CedarPolicyLambda to ARM_64 to match FeedbackLambda and the ARM64 CodeBuild host, avoiding cross-platform bundling failures.
- Update scripts/README.md and docs/DEPLOYMENT.md to match.
@razkenari razkenari force-pushed the fix/codebuild-remove-git-dependency branch from 983596d to e509c01 Compare June 10, 2026 21:45
@kaleko kaleko merged commit ab05210 into main Jun 11, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianz brianz brianz left review comments

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@razkenari @brianz @kaleko