Skip to content

adds custom config file#66

Merged
kaleko merged 4 commits intoawslabs:mainfrom
bhsu22:toolbox
Mar 25, 2026
Merged

adds custom config file#66
kaleko merged 4 commits intoawslabs:mainfrom
bhsu22:toolbox

Conversation

@bhsu22
Copy link
Copy Markdown
Contributor

@bhsu22 bhsu22 commented Mar 23, 2026

Description of changes: Modifies config manager so that custom configuration files can be added.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@bhsu22 bhsu22 requested a review from a team March 23, 2026 17:37
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 23, 2026
edited
Loading

Latest scan for commit: 5d22768 | Updated: 2026-03-25 19:36:41 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-03-25T19:34:26+00:00
  • ASH version: 3.2.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 0 0 0 0 0 741ms 0 PASSED MED (g)
cdk-nag 0 0 0 0 0 0 35.6s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 7ms 0 PASSED MED (g)
checkov 0 0 0 0 0 0 4.9s 0 PASSED MED (g)
detect-secrets 0 0 0 0 0 0 162ms 0 PASSED MED (g)
grype 0 0 0 0 0 0 38.5s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 165ms 0 PASSED MED (g)
opengrep 2 0 0 0 0 0 21.8s 0 PASSED MED (g)
semgrep 2 0 0 0 0 0 16.1s 0 PASSED MED (g)
syft 0 0 0 0 0 0 1.8s 0 PASSED MED (g)

@kaleko
Copy link
Copy Markdown
Contributor

kaleko commented Mar 25, 2026

Would like to see:

  1. Don't fall back to a default config -- throw a descriptive error
  2. Add to the deployment docs how to specify full path to a config (if you have one that lives somewhere not in infra-cdk, mentioning that this field is optional if you are in infra-cdk directory and config.yaml is there already)

@bhsu22

@kaleko
Copy link
Copy Markdown
Contributor

kaleko commented Mar 25, 2026

Also feel free to add yourselves to the CONTRIBUTORs file

@bhsu22
Copy link
Copy Markdown
Contributor Author

bhsu22 commented Mar 25, 2026

@kaleko Sounds good. I updated the fall back behavior to look for config.yaml (current setup) and I added a comment in the code. The behavior for the deployment doesn't change from before. The changes don't allow you to add a custom file in FAST without modifying bin/fast-cdk.ts, so I didn't change the instructions in DEPLOYMENT.md

@kaleko kaleko merged commit 9b1374c into awslabs:main Mar 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaleko kaleko kaleko approved these changes

Assignees

No one assigned

Labels

infrastructure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhsu22 @kaleko