Amazon CodeGuru Security finds issues in your code and provides recommendations on how to remediate them. CodeGuru Security identifies Security vulnerabilities, such as risks from the top 10 OWASP categories.
Amazon CodeGuru Security action can be triggered by a pull request, push, or scheduled run of your CI/CD pipeline.
For more information about setup, see Create code security reviews with GitHub Actions in the Amazon CodeGuru Security User Guide.
To add CodeGuru Security to your CI/CD pipeline, follow the steps under the Usage section.
Step 1: Set up Your workflow.yml File
For CodeGuru Security to run, check out your repository using actions/checkout@v3. You will need to set fetch-depth: 0 to fetch all history for all branches and tags. For example:
- name: Checkout repository
uses: actions/checkout@v3
with:
fetch-depth: 0 # This is a required field for CodeGuru
We recommend following the instructions and using aws-actions/configure-aws-credentials to configure your credentials for a job. The IAM user or IAM role requires AmazonCodeGuruSecurityScanAccess policy. The CodeGuru Security action supports credentials from GitHub hosted runners and self-hosted runners.
Step 2: Add Amazon CodeGuru Security Action
Input Parameters:
source_path: Required. The source_path is assumed to be the root of the repository (e.g. ".").
aws_region: Required. AWS region where you want to run workflow.
fail_on_severity: Fails the action run if any finding is higher than or equal to severity is provided. Default the script does not break the action run. [example: Info, Low, Medium, High, Critical]'
- name: CodeGuru Security
uses: aws-actions/codeguru-security@v1
with:
source_path: .
aws_region: eu-north-1
fail_on_severity: Critical # Critical findings will fail the build
- name: Print findings
run: |
ls -l
cat codeguru-security-results.sarif.json
Step 3: Upload Results to GitHub
After your job is completed, you can view your results within the AWS Console or GitHub. To view the results in GitHub, we recommend uploading the results generated in the SARIF (Static Analysis Results Interchange Format) into GitHub using the following example codeql-action. For more details, see the upload instructions in the GitHub documentation.
- name: Upload review result
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: codeguru-security-results.sarif.json # Your results file will be named codeguru-security-results.sarif.json
After you run the CodeGuru Security Action, security findings are posted on the Security tab in the GitHub UI and in the Finding section of the CodeGuru Security console.
See CONTRIBUTING for more information.
This library is licensed under the Apache-2.0 License. See the LICENSE file.