From 13d587851fe9d85ce87ecf71061da3a71fc458f0 Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:28:15 +0800
Subject: [PATCH 1/6] Create codescan.yml
---
.github/workflows/codescan.yml | 49 ++++++++++++++++++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 .github/workflows/codescan.yml
diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml
new file mode 100644
index 0000000..ef95ac3
--- /dev/null
+++ b/.github/workflows/codescan.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow requires that you have an existing account with codescan.io
+# For more information about configuring your workflow,
+# read our documentation at https://github.com/codescan-io/codescan-scanner-action
+name: CodeScan
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '43 1 * * 2'
+
+permissions:
+ contents: read
+
+jobs:
+ CodeScan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Cache files
+ uses: actions/cache@v3
+ with:
+ path: |
+ ~/.sonar
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Run Analysis
+ uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
+ with:
+ login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
+ organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
+ projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: codescan.sarif
From cb9acb8727482227826282f434b564d23be94d3f Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:28:21 +0800
Subject: [PATCH 2/6] Create nowsecure.yml
---
.github/workflows/nowsecure.yml | 52 +++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 .github/workflows/nowsecure.yml
diff --git a/.github/workflows/nowsecure.yml b/.github/workflows/nowsecure.yml
new file mode 100644
index 0000000..312ac2f
--- /dev/null
+++ b/.github/workflows/nowsecure.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# NowSecure: The Mobile Security Experts .
+#
+# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your
+# repository.
+#
+# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
+# .
+#
+# Instructions:
+#
+# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
+# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
+# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
+#
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+
+name: "NowSecure"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ nowsecure:
+ name: NowSecure
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Build your application
+ run: ./gradlew assembleDebug # Update this to build your Android or iOS application
+
+ - name: Run NowSecure
+ uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26
+ with:
+ token: ${{ secrets.NS_TOKEN }}
+ app_file: app-debug.apk # Update this to a path to your .ipa or .apk
+ group_id: {{ groupId }} # Update this to your desired Platform group ID
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: NowSecure.sarif
From 59f0e0511a875c535512ecb2c78b6a1b333d4547 Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:28:22 +0800
Subject: [PATCH 3/6] Create policy-validator-tf.yml
---
.github/workflows/policy-validator-tf.yml | 101 ++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 .github/workflows/policy-validator-tf.yml
diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml
new file mode 100644
index 0000000..28fd356
--- /dev/null
+++ b/.github/workflows/policy-validator-tf.yml
@@ -0,0 +1,101 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+
+name: Validate AWS IAM policies in Terraform templates using Policy Validator
+on:
+ push:
+ branches: ["main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: ["main"]
+env:
+ AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+ REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+ TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
+ ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+ REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+
+jobs:
+ policy-validator:
+ runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+ #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+ #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+ permissions:
+ id-token: write # This is required for requesting the JWT
+ contents: read # This is required for actions/checkout
+ # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+ name: Policy Validator checks for AWS IAM policies
+ steps:
+ # checkout the repo for workflow to access the contents
+ - name: Checkout
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
+ - name: Configure AWS Credentials
+ uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.REGION }}
+ # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer ValidatePolicy check
+ id: run-aws-validate-policy
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "VALIDATE_POLICY"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from VALIDATE_POLICY check
+ - name: Print the result for ValidatePolicy check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+ # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+ id: run-aws-check-access-not-granted
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ actions: ${{ env.ACTIONS }}
+ resources: ${{ env.RESOURCES }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_ACCESS_NOT_GRANTED check
+ - name: Print the result for CheckAccessNotGranted check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+ # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ # reference-policy is stored in GitHub secrets
+ - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+ id: run-aws-check-no-new-access
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_NEW_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ reference-policy: ${{ env.REFERENCE_POLICY }}
+ reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_NEW_ACCESS check
+ - name: Print the result CheckNoNewAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
+ # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
+ id: run-aws-check-no-public-access
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_PUBLIC_ACCESS check
+ - name: Print the result for CheckNoPublicAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
From d0863ef4a2fe2a2106140c4dea2d85916e37953b Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:28:24 +0800
Subject: [PATCH 4/6] Create pyre.yml
---
.github/workflows/pyre.yml | 46 ++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 .github/workflows/pyre.yml
diff --git a/.github/workflows/pyre.yml b/.github/workflows/pyre.yml
new file mode 100644
index 0000000..053f88a
--- /dev/null
+++ b/.github/workflows/pyre.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Pyre with GitHub's
+# Code Scanning feature.
+#
+# Pyre is a performant type checker for Python compliant with
+# PEP 484. Pyre can analyze codebases with millions of lines
+# of code incrementally – providing instantaneous feedback
+# to developers as they write code.
+#
+# See https://pyre-check.org
+
+name: Pyre
+
+on:
+ workflow_dispatch:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ pyre:
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: true
+
+ - name: Run Pyre
+ uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d
+ with:
+ # To customize these inputs:
+ # See https://github.com/facebook/pyre-action#inputs
+ repo-directory: './'
+ requirements-path: 'requirements.txt'
From f39cafeb077cef563e5bbd94de42d0ba5ddc2f24 Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:38:25 +0800
Subject: [PATCH 5/6] Revert "Create policy-validator-cfn.yml"
---
.github/workflows/policy-validator-cfn.yml | 98 ----------------------
1 file changed, 98 deletions(-)
delete mode 100644 .github/workflows/policy-validator-cfn.yml
diff --git a/.github/workflows/policy-validator-cfn.yml b/.github/workflows/policy-validator-cfn.yml
deleted file mode 100644
index 1dc8c74..0000000
--- a/.github/workflows/policy-validator-cfn.yml
+++ /dev/null
@@ -1,98 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer
-# To use this workflow, you will need to complete the following set up steps before start using it:
-# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE`
-# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
-# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates.
-# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
-name: Validate AWS IAM policies in CloudFormation templates using Policy Validator
-on:
- push:
- branches: ["main" ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: ["main"]
-env:
- AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
- REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
- TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
- ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
- RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
- REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
- REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
-jobs:
- policy-validator:
- runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
- # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
- # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
- permissions:
- id-token: write # This is required for requesting the JWT
- contents: read # This is required for actions/checkout
- name: Policy Validator checks for AWS IAM policies
- steps:
- # checkout the repo for workflow to access the contents
- - name: Checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials
- - name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
- with:
- role-to-assume: ${{ env.AWS_ROLE }}
- aws-region: ${{ env.REGION }}
- # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer ValidatePolicy check
- id: run-aws-validate-policy
- uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
- with:
- policy-check-type: "VALIDATE_POLICY"
- template-path: ${{ env.TEMPLATE_PATH}}
- region: ${{ env.REGION }}
- # Print result from VALIDATE_POLICY check
- - name: Print the result for ValidatePolicy check
- if: success() || failure()
- run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
- # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
- id: run-aws-check-access-not-granted
- uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
- with:
- policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
- template-path: ${{ env.TEMPLATE_PATH}}
- actions: ${{ env.ACTIONS }}
- resources: ${{ env.RESOURCES }}
- region: ${{ env.REGION }}
- # Print result from CHECK_ACCESS_NOT_GRANTED check
- - name: Print the result for CheckAccessNotGranted check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
- # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- # reference-policy is stored in GitHub secrets
- - name: Run AWS AccessAnalyzer CheckNoNewAccess check
- id: run-aws-check-no-new-access
- uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
- with:
- policy-check-type: "CHECK_NO_NEW_ACCESS"
- template-path: ${{ env.TEMPLATE_PATH}}
- reference-policy: ${{ env.REFERENCE_POLICY }}
- reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
- region: ${{env.REGION }}
- # Print result from CHECK_NO_NEW_ACCESS check
- - name: Print the result for CheckNoNewAccess check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
- # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
- id: run-aws-check-no-public-access
- uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2
- with:
- policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
- template-path: ${{ env.TEMPLATE_PATH }}
- region: ${{ env.REGION }}
- # Print result from CHECK_NO_PUBLIC_ACCESS check
- - name: Print the result for CheckNoPublicAccess check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
From fddfc0d877d36262421ec10b8fce4d5dad4f1ea0 Mon Sep 17 00:00:00 2001
From: LCSOGthb <185141600+LCSOGthb@users.noreply.github.com>
Date: Mon, 6 Jan 2025 17:38:58 +0800
Subject: [PATCH 6/6] Revert "Create policy-validator-tf.yml"
---
.github/workflows/policy-validator-tf.yml | 101 ----------------------
1 file changed, 101 deletions(-)
delete mode 100644 .github/workflows/policy-validator-tf.yml
diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml
deleted file mode 100644
index 28fd356..0000000
--- a/.github/workflows/policy-validator-tf.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
-# To use this workflow, you will need to complete the following set up steps before start using it:
-# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
-# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
-# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
-# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
-
-name: Validate AWS IAM policies in Terraform templates using Policy Validator
-on:
- push:
- branches: ["main" ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: ["main"]
-env:
- AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
- REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
- TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
- ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
- RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
- REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
- REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
-
-jobs:
- policy-validator:
- runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
- #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
- #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
- permissions:
- id-token: write # This is required for requesting the JWT
- contents: read # This is required for actions/checkout
- # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
- name: Policy Validator checks for AWS IAM policies
- steps:
- # checkout the repo for workflow to access the contents
- - name: Checkout
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
- - name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
- with:
- role-to-assume: ${{ env.AWS_ROLE }}
- aws-region: ${{ env.REGION }}
- # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer ValidatePolicy check
- id: run-aws-validate-policy
- uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
- with:
- policy-check-type: "VALIDATE_POLICY"
- template-path: ${{ env.TEMPLATE_PATH }}
- region: ${{ env.REGION }}
- # Print result from VALIDATE_POLICY check
- - name: Print the result for ValidatePolicy check
- if: success() || failure()
- run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
- # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
- id: run-aws-check-access-not-granted
- uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
- with:
- policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
- template-path: ${{ env.TEMPLATE_PATH }}
- actions: ${{ env.ACTIONS }}
- resources: ${{ env.RESOURCES }}
- region: ${{ env.REGION }}
- # Print result from CHECK_ACCESS_NOT_GRANTED check
- - name: Print the result for CheckAccessNotGranted check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
- # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- # reference-policy is stored in GitHub secrets
- - name: Run AWS AccessAnalyzer CheckNoNewAccess check
- id: run-aws-check-no-new-access
- uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
- with:
- policy-check-type: "CHECK_NO_NEW_ACCESS"
- template-path: ${{ env.TEMPLATE_PATH }}
- reference-policy: ${{ env.REFERENCE_POLICY }}
- reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
- region: ${{ env.REGION }}
- # Print result from CHECK_NO_NEW_ACCESS check
- - name: Print the result CheckNoNewAccess check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
- # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
- id: run-aws-check-no-public-access
- uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
- with:
- policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
- template-path: ${{ env.TEMPLATE_PATH }}
- region: ${{ env.REGION }}
- # Print result from CHECK_NO_PUBLIC_ACCESS check
- - name: Print the result for CheckNoPublicAccess check
- if: success() || failure()
- run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"