GitHub Action
CodeGuru Security
Amazon CodeGuru Security finds issues in your code and provides recommendations on how to remediate them. CodeGuru Security identifies Security vulnerabilities, such as risks from the top 10 OWASP categories.
Amazon CodeGuru Security action can be triggered by a pull request, push, or scheduled run of your CI/CD pipeline.
For more information about setup, see Create code security reviews with GitHub Actions in the Amazon CodeGuru Security User Guide.
To add CodeGuru Security to your CI/CD pipeline, follow the steps under the Usage section.
Step 1: Set up Your workflow.yml File
- Add checkout to your workflow:
For CodeGuru Security to run, check out your repository using actions/checkout@v2. You will need to set fetch-depth: 0 to fetch all history for all branches and tags. For example:
- name: Checkout repository
uses: actions/checkout@v2
with:
fetch-depth: 0 # This is a required field for CodeGuru
- Provide your AWS Credentials:
We recommend following the instructions and using aws-actions/configure-aws-credentials to configure your credentials for a job. The IAM user or IAM role requires AmazonCodeGuruSecurityFullAccess policy. The CodeGuru Security action supports credentials from GitHub hosted runners and self-hosted runners.
Step 2: Add Amazon CodeGuru Security Action
The source_path is assumed to be the root of the repository (e.g. ".").
Input Parameters:
- aws_region: Required. AWS region where you want to run workflow.
- name: CodeGuru Security
uses: aws-actions/codeguru-security@v1.0 # to do replace this after action release
with:
source_path: .
aws_region: us-east-1
- name: print findings.
run: |
ls -l
cat codeguru-security-results.sarif.json
Step 3: Upload Results to GitHub
After your job is completed, you can view your results within the AWS Console or GitHub. To view the results in GitHub, we recommend uploading the results generated in the SARIF (Static Analysis Results Interchange Format) into GitHub using the following example codeql-action. For more details, see the upload instructions in the GitHub documentation.
- name: Upload review result
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: codeguru-security-results.sarif.json # Your results file will be named codeguru-security-results.sarif.json
After you run the CodeGuru Security Action, security findings are posted on the Security tab in the GitHub UI and in the Finding section of the CodeGuru Security console.
See CONTRIBUTING for more information.
This library is licensed under the Apache-2.0 License. See the LICENSE file.