While this has been effective at reducing the false positives from scans that include JSON or YAML files which are expectedly not CloudFormation, this results in valid CloudFormation templates unexpectedly being excluded from scans if they happen to not include that key.
Logic in ASH needs to be improved to more precisely identify CloudFormation templates within repositories to scan while still preventing false positives from being returned
AWSTemplateFormatVersion is an optional key for CloudFormation templates, but is currently used when identifying CloudFormation templates to scan within ASH: https://github.com/awslabs/automated-security-helper/blob/main/utils/yaml-docker-execute.sh#L88
While this has been effective at reducing the false positives from scans that include JSON or YAML files which are expectedly not CloudFormation, this results in valid CloudFormation templates unexpectedly being excluded from scans if they happen to not include that key.
Logic in ASH needs to be improved to more precisely identify CloudFormation templates within repositories to scan while still preventing false positives from being returned