From 570e5d8cc20b7b4efb2fe3b0ed26d1cbb1825723 Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 13:32:55 -0700 Subject: [PATCH 1/8] updating gh action --- .github/workflows/codeguru.yml | 42 ++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index 0c781a9e..9a592c35 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -19,8 +19,8 @@ jobs: continue-on-error: true uses: aws-actions/configure-aws-credentials@v1 with: - role-to-assume: arn:aws:iam::048169001733:role/GuruGitHubCICDRole - aws-region: us-west-2 + role-to-assume: arn:aws:iam::737243363187:role/CodeGuruSecurityGitHubAccessRole + aws-region: us-east-1 - uses: actions/checkout@v2 if: steps.iam-role.outcome == 'success' @@ -40,18 +40,36 @@ jobs: if: steps.iam-role.outcome == 'success' continue-on-error: false with: - s3_bucket: codeguru-reviewer-github-profiler-demo-048169001733-uw2 + s3_bucket: code-guru-demo-34234234324234 build_path: ./target/classes - - name: Store SARIF file - if: steps.iam-role.outcome == 'success' - uses: actions/upload-artifact@v2 + - name: CodeGuru Security + uses: aws-actions/codeguru-security@v1 with: - name: SARIF_recommendations - path: ./codeguru-results.sarif.json + source_path: . + aws_region: us-east-1 + fail_on_severity: Critical + - name: Print findings + run: | + ls -l + cat codeguru-security-results.sarif.json - - name: Upload review result - if: steps.iam-role.outcome == 'success' - uses: github/codeql-action/upload-sarif@v1 + # If you want content in security scanning, you’ll need to enable codescanning by going into github. + # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository + - name: Upload result + uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: codeguru-results.sarif.json + sarif_file: codeguru-security-results.sarif.json + + # - name: Store SARIF file + # if: steps.iam-role.outcome == 'success' + # uses: actions/upload-artifact@v2 + # with: + # name: SARIF_recommendations + # path: ./codeguru-results.sarif.json + + # - name: Upload review result + # if: steps.iam-role.outcome == 'success' + # uses: github/codeql-action/upload-sarif@v1 + # with: + # sarif_file: codeguru-results.sarif.json From 45ab1e88dd1f89acaef7eb1757fbe8ab92402d6b Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 13:39:56 -0700 Subject: [PATCH 2/8] trigger --- .github/workflows/codeguru.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index 9a592c35..ad149ee7 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -35,6 +35,7 @@ jobs: if: steps.iam-role.outcome == 'success' run: mvn compile -DskipTests + - name: CodeGuru Reviewer uses: aws-actions/codeguru-reviewer@v1.1 if: steps.iam-role.outcome == 'success' From 8f6f922dd4f7f1461a2d32eb2be344481228ffad Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 13:43:27 -0700 Subject: [PATCH 3/8] fix s3 --- .github/workflows/codeguru.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index ad149ee7..ce55f3bd 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -41,7 +41,7 @@ jobs: if: steps.iam-role.outcome == 'success' continue-on-error: false with: - s3_bucket: code-guru-demo-34234234324234 + s3_bucket: codeguru-reviewer-demo-234234sdfsdf build_path: ./target/classes - name: CodeGuru Security From d15f38940efcdd39f76e5e5780878c0d585e23e6 Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 13:51:49 -0700 Subject: [PATCH 4/8] debug3 --- .github/workflows/codeguru.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index ce55f3bd..323671c7 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -44,6 +44,7 @@ jobs: s3_bucket: codeguru-reviewer-demo-234234sdfsdf build_path: ./target/classes + - name: CodeGuru Security uses: aws-actions/codeguru-security@v1 with: From ccfdc15cda5a30c5f2e18c9b3aa1f1ff84e599a8 Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 13:58:48 -0700 Subject: [PATCH 5/8] dont crash --- .github/workflows/codeguru.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index 323671c7..ccbd7732 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -50,7 +50,7 @@ jobs: with: source_path: . aws_region: us-east-1 - fail_on_severity: Critical + # fail_on_severity: Critical - name: Print findings run: | ls -l From e59f039a26a79aafa1b7645b4d046abd892bc5ed Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 14:00:04 -0700 Subject: [PATCH 6/8] update reviewer --- .github/workflows/codeguru.yml | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index ccbd7732..a5f1700b 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -44,6 +44,18 @@ jobs: s3_bucket: codeguru-reviewer-demo-234234sdfsdf build_path: ./target/classes + - name: Store SARIF file + if: steps.iam-role.outcome == 'success' + uses: actions/upload-artifact@v2 + with: + name: SARIF_recommendations + path: ./codeguru-results.sarif.json + + - name: Upload review result + if: steps.iam-role.outcome == 'success' + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: codeguru-results.sarif.json - name: CodeGuru Security uses: aws-actions/codeguru-security@v1 @@ -63,15 +75,4 @@ jobs: with: sarif_file: codeguru-security-results.sarif.json - # - name: Store SARIF file - # if: steps.iam-role.outcome == 'success' - # uses: actions/upload-artifact@v2 - # with: - # name: SARIF_recommendations - # path: ./codeguru-results.sarif.json - - # - name: Upload review result - # if: steps.iam-role.outcome == 'success' - # uses: github/codeql-action/upload-sarif@v1 - # with: - # sarif_file: codeguru-results.sarif.json + From 17a01f23f2ce3f6e28e07178d9832acc9adbb831 Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 14:08:47 -0700 Subject: [PATCH 7/8] testing pr --- .github/workflows/codeguru.yml | 2 +- src/main/java/com/shipmentEvents/util/S3ClientUtil.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index a5f1700b..f6ff1519 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -53,7 +53,7 @@ jobs: - name: Upload review result if: steps.iam-role.outcome == 'success' - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: codeguru-results.sarif.json diff --git a/src/main/java/com/shipmentEvents/util/S3ClientUtil.java b/src/main/java/com/shipmentEvents/util/S3ClientUtil.java index 16554f27..7f474fc3 100644 --- a/src/main/java/com/shipmentEvents/util/S3ClientUtil.java +++ b/src/main/java/com/shipmentEvents/util/S3ClientUtil.java @@ -5,7 +5,7 @@ import com.amazonaws.services.s3.AmazonS3ClientBuilder; public class S3ClientUtil { - + // Testing code changes public static AmazonS3 getS3Client() { return AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build(); } From b48060e7e9ebf0b2d1d8e45d7d14dfdd9a42b2b3 Mon Sep 17 00:00:00 2001 From: Kien Pham Date: Fri, 9 Aug 2024 14:10:32 -0700 Subject: [PATCH 8/8] trigger on PR --- .github/workflows/codeguru.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeguru.yml b/.github/workflows/codeguru.yml index f6ff1519..d80c5807 100644 --- a/.github/workflows/codeguru.yml +++ b/.github/workflows/codeguru.yml @@ -1,8 +1,10 @@ name: Analyze with CodeGuru Reviewer on: - - push - - workflow_dispatch # This allows manual triggering of the action through the GitHub UI. + pull_request: + types: [opened] + # - push + # - workflow_dispatch # This allows manual triggering of the action through the GitHub UI. permissions: id-token: write