Migrate content from portfolio-template-sdlc #2
Conversation
Adds: - Python application (scripts/) with tests - Terraform IaC configurations - CloudFormation example templates - Docker configuration - CI/CD workflows (ci-cd, sast, terraform) - Pre-commit hooks configuration - Code quality tooling (flake8, black, pylint, etc.) Note: Security scan will report ~36 findings as documented in README. These are intentional for demonstration purposes.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
5 similar comments
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| Value: CloudFormation | ||
|
|
||
| # Example CloudWatch Log Group | ||
| ExampleLogGroup: |
Check failure
Code scanning / SDLC Code Scanner (checkov-cfn)
Ensure that CloudWatch Log Group is encrypted by KMS High
|
|
||
| Resources: | ||
| # Example S3 bucket with security best practices | ||
| ExampleBucket: |
Check warning
Code scanning / SDLC Code Scanner (checkov-cfn)
Ensure the S3 bucket has access logging enabled Medium
| Resources: | ||
| # Example S3 bucket with security best practices | ||
| ExampleBucket: | ||
| Type: AWS::S3::Bucket |
Check warning
Code scanning / SDLC Code Scanner (cfn-nag)
S3 bucket should likely have a bucket policy Medium
| Resources: | ||
| # Example S3 bucket with security best practices | ||
| ExampleBucket: | ||
| Type: AWS::S3::Bucket |
Check warning
Code scanning / SDLC Code Scanner (cfn-nag)
S3 Bucket should have access logging configured Medium
|
|
||
| # Example CloudWatch Log Group | ||
| ExampleLogGroup: | ||
| Type: AWS::Logs::LogGroup |
Check warning
Code scanning / SDLC Code Scanner (cfn-nag)
CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data Medium
| } | ||
|
|
||
| # CloudWatch Log Group for application logs | ||
| resource "aws_cloudwatch_log_group" "app_logs" { |
Check failure
Code scanning / SDLC Code Scanner (checkov)
Ensure that CloudWatch Log Group is encrypted by KMS High
| } | ||
|
|
||
| # S3 Bucket for data storage and long-term log archival | ||
| resource "aws_s3_bucket" "data_bucket" { |
Check failure
Code scanning / SDLC Code Scanner (checkov)
Ensure that S3 buckets are encrypted with KMS by default High
| } | ||
|
|
||
| # CloudWatch Log Group for application logs | ||
| resource "aws_cloudwatch_log_group" "app_logs" { |
Check warning
Code scanning / SDLC Code Scanner (checkov)
Ensure CloudWatch log groups retains logs for at least 1 year Medium
| } | ||
|
|
||
| # S3 Bucket for data storage and long-term log archival | ||
| resource "aws_s3_bucket" "data_bucket" { |
Check warning
Code scanning / SDLC Code Scanner (checkov)
Ensure S3 buckets should have event notifications enabled Medium
| } | ||
|
|
||
| # S3 Bucket for data storage and long-term log archival | ||
| resource "aws_s3_bucket" "data_bucket" { |
Check warning
Code scanning / SDLC Code Scanner (checkov)
Ensure the S3 bucket has access logging enabled Medium
| } | ||
|
|
||
| # S3 Bucket for data storage and long-term log archival | ||
| resource "aws_s3_bucket" "data_bucket" { |
Check warning
Code scanning / SDLC Code Scanner (checkov)
Ensure that S3 bucket has cross-region replication enabled Medium
| } | ||
|
|
||
| # S3 Bucket lifecycle policy | ||
| resource "aws_s3_bucket_lifecycle_configuration" "data_bucket_lifecycle" { |
Check warning
Code scanning / SDLC Code Scanner (checkov)
Ensure S3 lifecycle configuration sets period for aborting failed uploads Medium
| } | ||
|
|
||
| # Enable encryption for S3 bucket | ||
| resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket_encryption" { |
Check failure
Code scanning / SDLC Code Scanner (tfsec)
S3 encryption should use Customer Managed Keys High
| role = aws_iam_role.app_role.id | ||
|
|
||
| policy = jsonencode({ | ||
| Version = "2012-10-17" |
Check failure
Code scanning / SDLC Code Scanner (tfsec)
IAM policy should avoid use of wildcards and instead apply the principle of least privilege High
| role = aws_iam_role.app_role.id | ||
|
|
||
| policy = jsonencode({ | ||
| Version = "2012-10-17" |
Check failure
Code scanning / SDLC Code Scanner (tfsec)
IAM policy should avoid use of wildcards and instead apply the principle of least privilege High
| } | ||
|
|
||
| # S3 Bucket for data storage and long-term log archival | ||
| resource "aws_s3_bucket" "data_bucket" { |
Check warning
Code scanning / SDLC Code Scanner (tfsec)
S3 Bucket does not have logging enabled. Medium
| } | ||
|
|
||
| # CloudWatch Log Group for application logs | ||
| resource "aws_cloudwatch_log_group" "app_logs" { |
Check notice
Code scanning / SDLC Code Scanner (tfsec)
CloudWatch log groups should be encrypted using CMK Low
| self.environment = environment | ||
| self.s3_client: Optional[boto3.client] = None | ||
| self.cloudwatch_client: Optional[boto3.client] = None | ||
| logger.info(f"Initializing DataProcessor for environment: {environment}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| self.cloudwatch_client = boto3.client("logs") | ||
| logger.info("AWS clients initialized successfully") | ||
| except ClientError as e: | ||
| logger.error(f"Failed to initialize AWS clients: {e}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| Returns: | ||
| Dictionary containing processing results | ||
| """ | ||
| logger.info(f"Processing data: {input_data}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
|
|
||
| try: | ||
| self.s3_client.put_object(Bucket=bucket, Key=key, Body=data) | ||
| logger.info(f"Successfully saved data to s3://{bucket}/{key}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| logger.info(f"Successfully saved data to s3://{bucket}/{key}") | ||
| return True | ||
| except ClientError as e: | ||
| logger.error(f"Failed to save to S3: {e}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| logging.getLogger().setLevel(logging.DEBUG) | ||
|
|
||
| logger.info("Starting Portfolio Data Processing Application") | ||
| logger.info(f"Environment: {args.environment}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| # Process data if input provided | ||
| if args.input: | ||
| result = processor.process_data(args.input) | ||
| logger.info(f"Processing result: {result}") |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| logger.info("Application completed successfully") | ||
| return 0 | ||
|
|
||
| except Exception as e: |
Check warning
Code scanning / SDLC Code Scanner (pylint)
broad-exception-caught: Catching too general exception Exception Medium
| return 0 | ||
|
|
||
| except Exception as e: | ||
| logger.error(f"Application failed: {e}", exc_info=True) |
Check warning
Code scanning / SDLC Code Scanner (pylint)
logging-fstring-interpolation: Use lazy % formatting in logging functions Medium
| pass # Stream might already exist | ||
|
|
||
| # Send log event | ||
| import time |
Check notice
Code scanning / SDLC Code Scanner (pylint)
import-outside-toplevel: Import outside toplevel (time) Low
SDLC Code Scanner Security Scan ❌
View the full report in the Actions artifacts |
Summary
Migrates all content from portfolio-template-sdlc to establish this as an actively developed example project.
Added
scripts/with example code andtests/with pytest suiteterraform/with AWS resource configurationscloudformation/with example templatesDockerfileand.dockerignoreci-cd.yml- Build, test, and deploy pipelinesast.yml- Security scanning with SDLC Code Scannerterraform.yml- Infrastructure validationExpected Security Findings
As documented in the README, the security scan will report ~36 findings:
These are intentional for demonstration purposes.
🤖 Generated with Claude Code