devrev · devrev-jo · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
@@ -7,7 +7,16 @@ on:
 jobs:
   patching_sla_check:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
     steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::162856926107:role/gh-action-security-tools
+          aws-region: us-east-1
       - name: Check out target repository
         uses: actions/checkout@v6
         with:
@@ -16,10 +25,11 @@ jobs:
         uses: actions/checkout@v6
         with:
           repository: devrev/global-gh-tools
+          ref: main
           path: .global-checks-tooling
       - name: Load python requirements.
         run: |
-          pip install strictyaml
+          pip install strictyaml boto3
       - name: Run patching SLA check
         id: patch_check
         continue-on-error: true
@@ -31,7 +41,6 @@ jobs:
           cat .global-checks-tooling/changed_files.txt
           python \
             .global-checks-tooling/checks/check_patching_sla.py \
-            .global-checks-tooling/data/repo_to_vulns.json \
             .global-checks-tooling/changed_files.txt \
             ${{ github.repository }} \
             .global-checks-tooling/pr_comment.md

@@ -1,3 +1,5 @@
 venv
 __pycache__
-_build
+_build
+comment.txt
+changed_files.txt
@@ -1,6 +1,8 @@
 import json
 import sys
 import os
+import boto3
+from botocore.exceptions import ClientError
 
 # The list of allowed files in the patch. If any file outside this list is modified, the patch will be blocked.
 # The list includes any file that is necessary for dependency management or build configuration.
@@ -20,30 +22,54 @@
     "uv.lock"
 ]
 
+def query_dynamodb_vulns(repo_name):
+    """
+    Query DynamoDB for vulnerability information by repo_name.
+
+    Args:
+        repo_name: The repository name to query
+
+    Returns:
+        The content of the "vulns" field if found, None otherwise
+    """
+    endpoint_url = os.environ.get(
+        "AWS_ENDPOINT_URL", "https://dynamodb.us-east-1.amazonaws.com"
+    )
+    region_name = os.environ.get("AWS_DEFAULT_REGION", "us-east-1")
+    table_name = os.environ.get("DYNAMODB_TABLE_NAME", "blocked-repos")
+
+    dynamodb = boto3.resource('dynamodb', endpoint_url=endpoint_url, region_name=region_name)
+    table = dynamodb.Table(table_name)
+
+    response = table.get_item(Key={'repo_name': repo_name})
+
+    if 'Item' in response and 'vulns' in response['Item']:
+        return response['Item']['vulns']
+    return None
+
 def check_patching_sla():
-    if len(sys.argv) != 5:
-        print("Usage: python check_patching_sla.py <blocked_repo_json> <changed_files_path> <repo_name> <comment_file>")
+    if len(sys.argv) != 4:
+        print("Usage: python check_patching_sla.py <changed_files_path> <repo_name> <comment_file>")
         sys.exit(1)
 
-    blocked_repo_json = sys.argv[1]
-    changed_files_path = sys.argv[2]
-    repo_name = sys.argv[3]
-    comment_file = sys.argv[4]
-    with open(blocked_repo_json) as f:
-        blocked_repos = json.load(f)
-    if repo_name not in blocked_repos:
+    changed_files_path = sys.argv[1]
+    repo_name = sys.argv[2]
+    comment_file = sys.argv[3]
+    vulns = query_dynamodb_vulns(repo_name)
+    if not vulns:
         print(f"Repository {repo_name} is not in the blocked repos list.")
         return True
     with open(changed_files_path) as f:
         changed_files = f.read().splitlines()
     for file in changed_files:
         filename = os.path.basename(file)
         if filename not in ALLOWED_FILES:
+            print(f"Repository {repo_name} is in the blocked repos list. Please see PR comment for details.")
             with open(comment_file, 'w') as f:
                 f.write(f"## ⚠️ Heads-up: This repository will be blocked from any work other than patching.\n")
                 f.write(f"File {file} is not allowed to be modified in this patch.\n")
                 f.write("The following vulnerability issues are past SLA:\n")
-                for issue in blocked_repos[repo_name]:
+                for issue in vulns:
                     id = issue['id']
                     overdue_days = issue['overdue_days']
                     severity = issue['severity']