### Install new Python dependency using pipenv Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command shows how to install a new Python package into your project's virtual environment using `pipenv`. It functions similarly to the `pip install` command. ```bash pipenv install ``` -------------------------------- ### Example Git commands for updating CICD Boot fork Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md These commands illustrate the process of updating a local CICD Boot fork to a newer version from a remote repository using `git merge`. It includes placeholders for the remote alias and target version, and comments on how to resolve potential merge conflicts. ```bash CICD_BOOT_REMOTE=origin; # Ensure the right git remote alias is set, we are assuming "origin" in this case VERSION_TO_UPDATE_TO=1.1.2; git merge ${CICD_BOOT_REMOTE}/${VERSION_TO_UPDATE_TO}; ## Resolve Merge conflicts in case there are any, then commit the changes # git add . # git commit -m "feat: updated to v1.1.2" ``` -------------------------------- ### Install npm dependencies for AWS CDK Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Installs frozen dependencies from `package-lock.json` using `npm ci`. This ensures consistent dependency versions across environments. ```bash npm ci ### it installs the frozen dependencies from package-lock.json ``` -------------------------------- ### Install locked Python dependencies with pipenv sync Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command installs all dependencies exactly as specified in the `Pipfile.lock` file. It's used to ensure consistent dependency installations across different environments or after cloning a repository. ```bash pipenv sync ``` -------------------------------- ### Install Git Remote CodeCommit Utility Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command installs the `git-remote-codecommit` utility, which is necessary for interacting with AWS CodeCommit repositories from your local machine. It enables seamless integration for pushing and pulling code. ```bash sudo pip3 install git-remote-codecommit ``` -------------------------------- ### Demonstrate Valid Git Commit Message Format Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This example shows a Git commit message that successfully follows the conventional commits standard, passing the `commitlint` validation. It demonstrates the correct format for commit types and messages, leading to a successful commit. ```bash > git commit -m "docs: updated README.md with better instructions for the commit-msg hook" > cicd-boot@1.0.4 commitlint > commitlint --edit .git/COMMIT_EDITMSG [feat/developer-tools 24192d7] docs: updated README.md with better instructions for the commit-msg hook 1 file changed, 1 insertion(+), 1 deletion(-) ``` -------------------------------- ### Enable Git Pre-commit Hooks Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md To activate the pre-commit hooks installed by default in the project, export the `RUN_PRE_COMMIT_HOOKS` environment variable. This ensures that the hooks run automatically before every Git commit, enforcing code quality and standards. ```bash export RUN_PRE_COMMIT_HOOKS=true ``` -------------------------------- ### Demonstrate Invalid Git Commit Message Format Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This example illustrates a Git commit message that fails to adhere to the conventional commits standard, triggering a `commitlint` error via a `husky` hook. It shows the expected error output when the commit type is not recognized. ```bash > git commit -m "foo: this will fail" > cicd-boot@1.0.4 commitlint > commitlint --edit ⧗ input: foo: this will fail ✖ type must be one of [build, chore, ci, docs, feat, fix, perf, refactor, revert, style, test] [type-enum] ✖ found 1 problems, 0 warnings ⓘ Get help: https://github.com/conventional-changelog/commitlint/#what-is-commitlint husky - commit-msg hook exited with code 1 (error) ``` -------------------------------- ### Add Pipenv Executable to Shell PATH Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md After identifying the Pipenv installation directory, use this command to extend your shell's `PATH` environment variable. This makes the `pipenv` command globally available from any directory in your terminal session. For permanent access, add this line to your shell's configuration file (e.g., `.zshrc` or `.bashrc`). ```bash export PATH="${PATH}:/Users/user/Library/Python/3.11/bin"; ``` -------------------------------- ### Create AWS CodeStar Connection for GitHub via AWS CLI Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/docs/prerequisites-github-codestarconnection.md This command initiates the creation of an AWS CodeStar Connection, linking an AWS account to a GitHub provider. It requires specifying the provider type, an AWS profile for authentication, the AWS region, and a unique name for the connection. After running this command, further installation steps must be completed in the AWS CodeStar Connections console. ```bash aws codestar-connections create-connection --provider-type GitHub --profile $RES_ACCOUNT_AWS_PROFILE --region ${AWS_REGION} --connection-name MyConnection ``` -------------------------------- ### Determine Python User Base Directory for Pipenv Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command helps locate the user-specific base directory where Python packages, including `pipenv`, are typically installed. This path is crucial for manually extending the system's `PATH` environment variable to make `pipenv` accessible. ```bash python3 -m site --user-base ``` -------------------------------- ### AWS CDK CI/CD Project Structure Overview Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This snippet illustrates the directory structure of the AWS CDK CI/CD Boot project, highlighting key folders for application code, CDK stacks, configuration, and Lambda functions. Comments within the structure indicate areas for customization and those to avoid modifying for future updates. ```bash ├── bin ├── config ├── docs ├── lib │ ├── cdk-pipeline │ │ ├── app ### here you need to initialize the cdk-stacks you add in the lib/stacks/app │ │ └── core ### avoid doing changes here in order to keep the update path │ └── stacks │ ├── app ### here you define new CDK Stacks which you want to deploy │ └── core ### avoid doing changes here in order to keep the update path ├── scripts │ └── tests ### extend and add new ├── src │ ├── codebuild │ ├── lambda-functions │ │ └── test ### extend and add new functions as you see fit │ └── lambda-layer │ └── common ### add more packages to requirements.txt ├── test └── utils ``` -------------------------------- ### Bootstrap AWS CDK RES stage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Prepares the 'RES' (Resources) stage for AWS CDK deployment by bootstrapping the AWS account with a specified profile, qualifier, and region. This is typically the foundational account that other stages trust. ```bash npm run cdk bootstrap -- --profile $RES_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} aws://${ACCOUNT_RES}/${AWS_REGION} ``` -------------------------------- ### Bootstrap AWS CDK INT stage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Prepares the 'INT' (Integration) stage for AWS CDK deployment. This command bootstraps the AWS account, grants AdministratorAccess for CloudFormation execution, and establishes trust with the RES account, similar to the DEV stage. ```bash npm run cdk bootstrap -- --profile $INT_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} --cloudformation-execution-policies \ arn:aws:iam::aws:policy/AdministratorAccess \ --trust ${ACCOUNT_RES} aws://${ACCOUNT_INT}/${AWS_REGION} ``` -------------------------------- ### Deploy All AWS CDK Stacks Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command initiates the deployment of all configured AWS CDK stacks. It targets a specific AWS region and profile, ensuring all components of the CI/CD pipeline and associated resources are provisioned. ```bash npm run cdk deploy -- --all --region ${AWS_REGION} --profile $RES_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} ``` -------------------------------- ### Bootstrap AWS CDK DEV stage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Prepares the 'DEV' (Development) stage for AWS CDK deployment. This command bootstraps the AWS account, grants AdministratorAccess for CloudFormation execution, and establishes trust with the RES account, allowing cross-account deployments. ```bash npm run cdk bootstrap -- --profile $DEV_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} --cloudformation-execution-policies \ arn:aws:iam::aws:policy/AdministratorAccess \ --trust ${ACCOUNT_RES} aws://${ACCOUNT_DEV}/${AWS_REGION} ``` -------------------------------- ### AWS CDK Project Management and CI/CD Commands Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md A comprehensive list of `npm` commands for managing AWS CDK projects, including build, test, deployment, validation, and security auditing operations. These commands facilitate common development and CI/CD workflows. ```Shell npm ci ``` ```Shell npm run build ``` ```Shell npm run watch ``` ```Shell npm run test ``` ```Shell npm install ``` ```Shell npm run validate:fix ``` ```Shell npm run validate ``` ```Shell npm run audit ``` ```Shell npm run audit:deps:nodejs ``` ```Shell npm run audit:deps:python ``` ```Shell npm run audit:scan:security ``` ```Shell npm run audit:license ``` ```Shell npm run audit:fix:license ``` ```Shell npm run license ``` ```Shell npm run lint ``` ```Shell npm run lint:fix ``` ```Shell npm run cdk deploy -- --all ``` ```Shell npm run cdk diff ``` ```Shell npm run cdk synth -- --all ``` -------------------------------- ### Bootstrap new AWS CDK stage account Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Bootstraps a new AWS CDK stage account (e.g., PRE_PROD). This command prepares the account for CDK deployments, grants AdministratorAccess, and establishes trust with the RES account, similar to other predefined stages. ```bash npm run cdk bootstrap -- --profile $PRE_PROD_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} --cloudformation-execution-policies \ arn:aws:iam::aws:policy/AdministratorAccess \ --trust ${ACCOUNT_RES} aws://${ACCOUNT_PRE_PROD}/${AWS_REGION} ``` -------------------------------- ### Update Project NOTICE File Locally Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command updates the project's NOTICE file, which lists all dependencies and their associated licenses. Maintaining an up-to-date NOTICE file is essential for license compliance and is enforced as part of the CI/CD build step to ensure consistency. ```bash npm run audit:fix:license ``` -------------------------------- ### Bootstrap AWS CDK PROD stage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Prepares the 'PROD' (Production) stage for AWS CDK deployment. This command bootstraps the AWS account, grants AdministratorAccess, and establishes trust with a specified resources account. Variables like 'prod_account_id' and 'resources_account_id' must be updated before use. ```bash npm run cdk bootstrap -- --profile prod --qualifier ${CDK_QUALIFIER} --cloudformation-execution-policies \ arn:aws:iam::aws:policy/AdministratorAccess \ --trust resources_account_id aws://prod_account_id/your_aws_region ``` -------------------------------- ### List AWS CodeStar Connections via CLI Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command-line snippet demonstrates how to list existing AWS CodeStar Connections using the AWS CLI. It requires specifying an AWS profile for the target account where the connections are configured. This is a prerequisite for integrating GitHub repositories with the CI/CD pipeline. ```bash aws codestar-connections list-connections --profile ${RES_ACCOUNT_AWS_PROFILE} ``` -------------------------------- ### Migrate requirements.txt to Pipfile with pipenv Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command demonstrates how to convert an existing `requirements.txt` file into a `Pipfile` and `Pipfile.lock` using `pipenv`. It should be executed in the directory where `requirements.txt` is located, which will then be treated as a Python module. ```bash cd path-to-the-module pipenv install -r requirements.txt && pipenv lock ``` -------------------------------- ### Manage cdk.context.json for AWS CDK Context Caching Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This sequence of commands outlines the process to correctly manage `cdk.context.json` in version control. It involves removing it from `.gitignore`, regenerating it with the correct environment variables, and then adding it back to Git to ensure consistent CDK deployments across environments. ```bash ### 1. Remove cdk.context.json from .gitignore vi .gitignore ### remove cdk.context.json ### 2. Generate the cdk.context.json source exports_vars.sh ### source the env vars with the right account ids and profiles for RES/DEV/INT/PROD... npm run cdk synth ### this command generates the cdk.context.json ### 3. Add the cdk.context.json to git remote git add cdk.context.json ### re-add cdk.context.json git commit -am "feat: re-added cdk.context.json" git push -u origin ### Push changes to remote ``` -------------------------------- ### Prepare Local Environment Variables for CI/CD Boot Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This snippet shows how to make an `export_vars.sh` script executable and then source its defined environment variables into the current shell session. This step is crucial for configuring the local environment with necessary parameters before deploying the CI/CD pipeline. ```bash chmod +x export_vars.sh source export_vars.sh ``` -------------------------------- ### Configure AWS CDK AppConfig for Deployment Accounts Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This snippet demonstrates how to define deployment accounts and compliance log bucket names within the `config/AppConfig.ts` file. These configurations are crucial for managing different environments (RES, DEV, INT, PRE_PROD) in an AWS CDK pipeline. ```typescript const deploymentAccounts = { RES: Environment.getEnvVar('ACCOUNT_RES'), DEV: Environment.getEnvVar('ACCOUNT_DEV'), INT: Environment.getEnvVar('ACCOUNT_INT'), PRE_PROD: Environment.getEnvVar('ACCOUNT_PRE_PROD'), }; export const AppConfig: IAppConfig = { ... complianceLogBucketName: { RES: `compliance-log-${deploymentAccounts.RES}-${region}`, DEV: `compliance-log-${deploymentAccounts.DEV}-${region}`, INT: `compliance-log-${deploymentAccounts.INT}-${region}`, PRE_PROD: `compliance-log-${deploymentAccounts.PRE_PROD}-${region}`, }, ... } ``` -------------------------------- ### Configure License Check Rules Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This JSON configuration defines rules for the license check script, allowing customization of license compliance enforcement. It specifies prohibited licenses, and paths to exclude from verification for both NPM and Python projects, ensuring flexibility in managing dependencies. ```json { "failOnLicenses": ["AGPL"], "npm": { "excluded": [], "excludedSubProjects": ["./example/package.json"] }, "python": { "allowedTypes": ["Pipenv"], "excluded": [], "excludedSubProjects": ["./example/Pipfile"] } } ``` -------------------------------- ### Define environment variables for new AWS CDK stage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Adds environment variables for a new AWS CDK stage (e.g., PRE_PROD) to the `export_vars.sh` file. This includes the account ID and AWS profile, preparing the environment for bootstrapping the new stage. ```bash echo "export ACCOUNT_PRE_PROD=;" >> export_vars.sh; echo "export PRE_PROD_ACCOUNT_AWS_PROFILE=;" >> export_vars.sh; ``` -------------------------------- ### Overview of CICD Boot Security Controls Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md A reference sheet detailing the various security tools integrated into CICD Boot, including their type, status, limitations, and a brief description. ```APIDOC Security Tools Reference: - AWS CDK NAG: Type: Static Application Security Testing Status: Enabled Limitations: None Description: cdk-nag integrates directly into AWS Cloud Development Kit (AWS CDK) applications to provide identification and reporting mechanisms similar to SAST tooling. - Amazon CodeGuru Reviewer: Type: Static Application Security Testing Status: Enabled Limitations: Supported with AWS CodeCommit repository only. Verify Pull Requests only and users can by pass Description: Detect vulnerabilities and automate code reviews with machine-learning powered recommendations. - Amazon CodeGuru Security: Type: Static Application Security Testing Status: Disabled Limitations: In preview release and subject to change. Description: A static application security testing (SAST) tool that combines machine learning (ML) and automated reasoning to identify vulnerabilities in your code, provide recommendations on how to fix, and track status until closure. - Better-NPM-Audit: Type: Dependency Scanning for Vulnerabilities Status: Enabled Limitations: Verifies NPM dependencies Description: Scans the dependencies for known vulnerabilities CVEs. - pip-audit: Type: Dependency Scanning for Vulnerabilities Status: Enabled Limitations: Verifies Python dependencies based on the provided Pipfiles. Description: Scans the dependencies for known vulnerabilities CVEs. - semgrep: Type: Static Security Code Scanner Status: Enabled Limitations: None Description: Scans the codebase for vulnerabilities. - shellcheck: Type: Static Security Code Scanner Status: Enabled Limitations: Analyses Shell Scripts Description: Scans the codebase for vulnerabilities. - Bandit: Type: Static Security Code Scanner Status: Enabled Limitations: Analyses Python source codes Description: Scans the codebase for vulnerabilities. ``` -------------------------------- ### Source environment variables for AWS CDK Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md Sources the `export_vars.sh` file to load newly defined or modified environment variables into the current shell session. This makes them available for subsequent CDK commands, such as bootstrapping new stages. ```bash source export_vars.sh ``` -------------------------------- ### CICD Boot Configuration Variables Reference Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/CONFIGVARS.md Reference for environment variables and `package.json` configurations used by CICD Boot, including their purpose and default values. These variables control deployment regions, account IDs, AWS profiles, application naming, Git repository details, VPC settings, and proxy configurations. ```APIDOC - ENV Variable: AWS_REGION Package.json config: N/A Default Value: N/A Description: deployment region - ENV Variable: ACCOUNT_RES Package.json config: N/A Default Value: N/A Description: account id for resources account where pipeline will run - ENV Variable: ACCOUNT_DEV Package.json config: N/A Default Value: N/A Description: account id for DEV environment account - ENV Variable: ACCOUNT_INT Package.json config: N/A Default Value: N/A Description: account id for INT environment account - ENV Variable: RES_ACCOUNT_AWS_PROFILE Package.json config: N/A Default Value: N/A Description: sets the named profile to use for the RES account. this profile must exist in `~/.aws/credentials` or `~/.aws/config` - ENV Variable: DEV_ACCOUNT_AWS_PROFILE Package.json config: N/A Default Value: N/A Description: sets the named profile to use for the DEV account. this profile must exist in `~/.aws/credentials` or `~/.aws/config` - ENV Variable: INT_ACCOUNT_AWS_PROFILE Package.json config: N/A Default Value: N/A Description: sets the named profile to use for the INT account. this profile must exist in `~/.aws/credentials` or `~/.aws/config` - ENV Variable: AWS_PROFILE Package.json config: N/A Default Value: N/A Description: sets the default named profile to use for aws cli or cdk commands when no `--profile` is provided. set to the same value as `RES_ACCOUNT_AWS_PROFILE` this profile must exist in `~/.aws/credentials` or `~/.aws/config` - ENV Variable: N/A Package.json config: applicationName Default Value: CICDBoot Description: sets the name of the Application - ENV Variable: CDK_QUALIFIER Package.json config: cdkQualifier Default Value: cicdboot Description: used to distinguish between multiple deployments of a VP project in the same account. Good practice to customize per deployment. - ENV Variable: GIT_REPOSITORY Package.json config: repositoryName Default Value: N/A Description: sets the name of the Git repository in the format org/name - ENV Variable: N/A Package.json config: repositoryType Default Value: N/A Description: sets the type of the repository, `GITHUB` or `CODECOMMIT` - ENV Variable: CODESTAR_CONNECTION_ARN Package.json config: N/A Default Value: N/A Description: sets the codestar connection required for GITHUB type - ENV Variable: CICD_VPC_TYPE Package.json config: cicdVpcType Default Value: NO_VPC Description: sets the type of the VPC: `NO_VPC`, `VPC`, or `VPC_FROM_LOOK_UP`. - ENV Variable: CICD_VPC_ID Package.json config: cicdVpcId Default Value: N/A Description: for use with `VPC_FROM_LOOK_UP` to set the vpc ID - ENV Variable: CICD_VPC_CIDR Package.json config: cicdVpcCidr Default Value: 172.31.0.0/20 Description: for use with `VPC` to set the CIDR block of the VPC - ENV Variable: CICD_VPC_CIDR_MASK Package.json config: cicdVpcCidrMask Default Value: 24 Description: for use with `VPC` to set the Subnet size - ENV Variable: PROXY_SECRET_ARN Package.json config: N/A Default Value: N/A Description: used to set the ARN for the proxy secrets to enable proxy ``` -------------------------------- ### Update AWS CDK PipelineStack with AppConfig Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This code shows how to update the `PipelineStack` definition in `bin/app.ts` to utilize the newly created configurations from `AppConfig.ts`. It ensures that the pipeline's environment and deployment stages are correctly mapped to the defined accounts and regions. ```typescript new PipelineStack(app, `${AppConfig.applicationName}PipelineStack`, { env: { account: AppConfig.deploymentAccounts.RES, region: AppConfig.region }, applicationName: AppConfig.applicationName, applicationQualifier: AppConfig.applicationQualifier, logRetentionInDays: AppConfig.logRetentionInDays, deployments: { RES: { account: AppConfig.deploymentAccounts.RES, region: AppConfig.region }, DEV: { account: AppConfig.deploymentAccounts.DEV, region: AppConfig.region }, INT: { account: AppConfig.deploymentAccounts.INT, region: AppConfig.region }, PRE_PROD: { account: AppConfig.deploymentAccounts.PRE_PROD, region: AppConfig.region }, }, ... } ``` -------------------------------- ### Validate and Update Node.js Package Dependencies Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This snippet provides a sequence of bash commands to ensure local Node.js dependencies are fresh, generate a package-lock.json checksum for CI/CD validation, and update the project's NOTICE file with current package versions. It is crucial for maintaining dependency consistency and ensuring CI/CD pipeline integrity. ```bash rm -rf node_modules ### remove the locally downloaded npm dependencies npm install ### install fresh from the package.json, this will generate package-lock.json as well npm run validate:fix ### will generate the checksum for the package-lock.json which is checked in the CI/CD npm run audit:fix:license ### will update the NOTICE file with the updated package versions ``` -------------------------------- ### Update Pipfile.lock with pipenv Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command updates the `Pipfile.lock` file, which records the exact versions of all project dependencies. It ensures that all team members use the same dependency versions. ```bash pipenv lock ``` -------------------------------- ### Amazon CodeGuru Reviewer Integration and Configuration Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Details on how Amazon CodeGuru Reviewer is integrated into pipelines with AWS CodeCommit, its automated code review capabilities, and how to enable or disable its scanning via configuration. ```APIDOC Tool: Amazon CodeGuru Reviewer Description: Detects vulnerabilities and automates code reviews with machine-learning powered recommendations. Integration: Included in pipelines created with AWS CodeCommit as VCS. Functionality: Automatically reviews created Pull Requests and provides actionable recommendations. Recommendation Access: Available directly on Pull Requests or via AWS Console / Amazon CodeGuru / Reviewer / Code Reviews. Configuration: - Enable/Disable: Controlled by `AppConfig.repositoryConfig.CODECOMMIT.codeGuruReviewer`. - Status: Enabled if `true`, disabled if `false`. ``` -------------------------------- ### Push Local Repository to AWS CodeCommit Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md These commands configure your local Git repository to push changes to an AWS CodeCommit remote. It involves adding a 'downstream' remote, committing an initial change, and pushing the current branch to the 'main' branch of the CodeCommit repository. ```bash CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD); git remote add downstream codecommit::${AWS_REGION}://${RES_ACCOUNT_AWS_PROFILE}@${GIT_REPOSITORY}; git commit -am "feat: init downstream"; git push -u downstream ${CURRENT_BRANCH}:main ### default branch for CodePipeline can be configured in config/AppConfig.ts ``` -------------------------------- ### GitHub Actions Integration for Security Checks Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md GitHub Actions executes enabled security checks as part of pull request checks, failing the build if issues are found. For Bandit, Shellcheck, and Semgrep, findings are converted to Junit and Checkstyle outputs for easier troubleshooting in the 'Files changed' tab. ```APIDOC GitHub Actions Security Checks: - Execution: Enabled security checks run as part of pull request checks. - Failure Condition: Corresponding check fails if any enabled security tool identifies an issue. - Reporting (Bandit, Shellcheck, Semgrep): - Findings converted to Junit and Checkstyle outputs. - Presented in the `Files changed` tab for troubleshooting. - Report Interpretation: - `Checkstyle Source Code Analyzer report`: `0 violation(s) found` indicates no Shellcheck issues. - `JUnit Test Report`: `No test results found!` indicates no Semgrep or Bandit issues. - Note: Actual security scanning is part of `Security Scans`, not `Checkstyle Source Code Analyzer` or `JUnit` reports, thus execution times for these reports will be 0. ``` -------------------------------- ### AWS CDK Nag Integration and Usage Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Detailed explanation of how cdk-nag integrates into AWS CDK applications, its purpose in identifying insecure infrastructure patterns, and its mandatory usage within the CICD Boot project. ```APIDOC Tool: AWS CDK Nag Description: cdk-nag integrates directly into AWS Cloud Development Kit (AWS CDK) applications to provide identification and reporting mechanisms similar to SAST tooling. Functionality: - Applied as a CDK Aspect. - Looks for patterns indicating insecure infrastructure (e.g., overly permissive IAM/Security Group rules, disabled access logs/encryption, password literals). Application Points: - On the CDK application (bin/app.ts). - On AppStages deployed by CodePipeline (lib/cdk-pipeline/app/AppStage.ts). Execution Phase: During the `cdk synth` phase. Suppression: Recommended to suppress rules in dedicated stacks rather than centrally. Central suppression (utils/suppression.ts) should be used only for application-wide approved suppressions (e.g., AWSLambdaBasicExecutionRole). Mandatory Usage: Essential for IaaC security, mandatory to use. ``` -------------------------------- ### Enable/Disable Semgrep Security Scanner Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Semgrep accelerates security by scanning code and package dependencies for known issues, vulnerabilities, and secrets. Its integration into the CI/CD pipeline is controlled by adding or removing an entry in the `SECURITY_SCANNERS` list within a shell script. ```Shell Script Add/remove the `semgrep` entry to/from the `SECURITY_SCANNERS` list in `scripts/check-code-scan-security.sh`. ``` -------------------------------- ### Enable/Disable Shellcheck Static Analysis Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md ShellCheck is a static analysis tool specifically for shell scripts. Its activation in the CI/CD pipeline is managed by modifying the `SECURITY_SCANNERS` list in a shell script. ```Shell Script Add/remove the `shellcheck` entry to/from the `SECURITY_SCANNERS` list in `scripts/check-code-scan-security.sh`. ``` -------------------------------- ### Disable AWS CDK Pipeline Stage for INT Account Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/README.md This command sequence allows you to disable the integration (INT) account in your AWS CDK CICD pipeline. It sets the ACCOUNT_INT environment variable to '-' and then triggers a full CDK deployment across all stages, ensuring the INT account is no longer targeted. Remember to manually delete CloudFormation resources on the previous INT account after performing this operation. ```bash export ACCOUNT_INT="-" npm run cdk deploy -- --all --region ${AWS_REGION} --profile $RES_ACCOUNT_AWS_PROFILE --qualifier ${CDK_QUALIFIER} ``` -------------------------------- ### Configure Amazon CodeGuru Security Scan Threshold Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Amazon CodeGuru Security is a SAST tool for identifying code vulnerabilities. It integrates into the build stage of a CI/CD pipeline, stopping it for high-severity findings. The scan threshold can be adjusted via the `AppConfig.codeGuruScanThreshold` configuration option. ```Configuration To enable/disable: Set or remove `AppConfig.codeGuruScanThreshold`. If present, scanning is enabled; if missing, it is disabled. Example: `AppConfig.codeGuruScanThreshold = 'High'` ``` -------------------------------- ### Enable/Disable Bandit Python Security Scanner Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Bandit is a tool designed to find common security issues in Python code by processing ASTs. Its inclusion in the CI/CD pipeline is controlled by modifying the `SECURITY_SCANNERS` list in a shell script. ```Shell Script Add/remove the `bandit` entry to/from the `SECURITY_SCANNERS` list in `scripts/check-code-scan-security.sh`. ``` -------------------------------- ### Disable pip-audit for Python Dependencies Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md pip-audit is a tool for scanning Python environments for packages with known vulnerabilities, using the Python Packaging Advisory Database. It can be disabled by removing a specific script from the `package.json` file. ```JSON Remove the `audit:deps:python` script from the `package.json` file. ``` -------------------------------- ### Disable Better NPM Audit for Node.js Projects Source: https://github.com/aws-samples/aws-cdk-cicd-boot-sample/blob/main/SECURITY.md Better NPM Audit provides additional features on top of existing npm audit options for security audits in Node.js projects. It can be disabled by removing a specific script from the `package.json` file. ```JSON Remove the `audit:deps:nodejs` script from the `package.json` file. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.