aws-actions / codeguru-reviewer Goto Github PK

License: Apache License 2.0

codeguru-reviewer's Introduction

Amazon CodeGuru Reviewer for GitHub Actions

Amazon CodeGuru Reviewer finds issues in your Java and Python code and provides recommendations on how to remediate them. CodeGuru Reviewer identifies

Code quality issues, such as deviation from best practices with AWS APIs and SDKs, concurrency issues, resource leaks, and incorrect input validation
Security vulnerabilities, such as risks from the top 10 OWASP categories.

Amazon CodeGuru Reviewer action can be triggered by a pull request, push, or scheduled run of your CI/CD pipeline.

Pull requests - Code quality & security recommendations for your changed lines of code are shown in the pull request.
Push - Code quality and security recommendations are shown in the security tab
Manual / Scheduled runs - Code quality and security recommendations are shown in the security tab

For more information about setup, see Create code reviews with GitHub Actions in the Amazon CodeGuru Reviewer User Guide.

To add CodeGuru Reviewer to your CI/CD pipeline, follow the steps under the Usage section.

Usage

Step 1: Set up Your workflow.yml File

Add checkout to your workflow:

For CodeGuru to run, check out your repository using actions/checkout@v2. You will need to set fetch-depth: 0 to fetch all history for all branches and tags. For example:

- name: Checkout repository
  uses: actions/checkout@v2
  with:
    fetch-depth: 0 # This is a required field for CodeGuru

Provide your AWS Credentials:

We recommend following the instructions and using aws-actions/configure-aws-credentials to configure your credentials for a job. The IAM user or IAM role requires AmazonCodeGuruReviewerFullAccess policy and S3 permissions (s3:PutObject, s3:ListBucket, s3:GetObject) for the "codeguru-reviewer-*" S3 bucket. The CodeGuru Reviewer action supports credentials from GitHub hosted runners and self-hosted runners.

Step 2: Add Amazon CodeGuru Reviewer Action

The source_path is assumed to be the root of the repository (e.g. ".").

Input Parameters:

s3_bucket: Required. When you run a CodeGuru scan, your code is first uploaded into an S3 bucket in your AWS account. Provide the name of the S3 bucket you are using. Its name must begin with a prefix of “codeguru-reviewer-”. If you haven’t created a bucket, you can create one using the bucket policy outlined in this CloudFormation template (JSON or YAML) or by following these instructions. Your data is always protected with CodeGuru using these data protection practices.
build_path: Optional. In order to receive security recommendations from CodeGuru, you will need to upload your code’s build artifact to the S3 bucket. Use this optional parameter to provide the build_path of the artifact. Your build files can be .jar or .class files.
kms_key_id: Optional. A customer created kms key for encrypting your code. If not provided, CodeGuru Reviewer will encrypt your code using a kms key that AWS owns and manages for you.

- name: CodeGuru Reviewer
  uses: aws-actions/[email protected]
  with:
    build_path: target # build artifact(s) directory
    s3_bucket: codeguru-reviewer-myactions-bucket # S3 Bucket with "codeguru-reviewer-*" prefix

Step 3: Upload Results to GitHub

After your job is completed, you can view your results within the AWS Console or GitHub. To view the results in GitHub, we recommend uploading the results generated in the SARIF (Static Analysis Results Interchange Format) into GitHub using the following example codeql-action. For more details, see the upload instructions in the GitHub documentation.

- name: Upload review result
  if: ${{ github.event_name != 'push' }}
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: codeguru-results.sarif.json # Your results file will be named codeguru-results.sarif.json

Example:

steps:

# Step 1: Checkout the repository and provide your AWS credentials
- name: Checkout repository
  uses: actions/checkout@v2
  with:
    fetch-depth: 0

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    aws-region: us-west-2  # Region to access CodeGuru 

# Step 2: Add CodeGuru Reviewer Action
- name: CodeGuru Reviewer
  uses: aws-actions/[email protected]
  with:
    build_path: target # build artifact(s) directory
    s3_bucket: codeguru-reviewer-my-bucket  # S3 Bucket with "codeguru-reviewer-*" prefix
 
# Step 3: Upload results into GitHub
- name: Upload review result
  if: ${{ github.event_name != 'push' }}
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: codeguru-results.sarif.json

Recommendations

After you run the CodeGuru Reviewer Action, security findings and code quality recommendations are posted on the Security tab in the GitHub UI and in the Code Reviews section of the CodeGuru Reviewer console.

The following is an example of CodeGuru Reviewer recommendations for a Push or Schedule event on the Security tab in the GitHub UI.

The following is an example of CodeGuru Reviewer recommendations for a Pull Request event in the Pull Request view.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the Apache-2.0 License. See the LICENSE file.

codeguru-reviewer's People

Contributors

Stargazers

Watchers

codeguru-reviewer's Issues

ERROR Exception occurred while associating the repository

Receiving the following error in the workflow step for CodeGuru Reviewer:

2022-02-17 05:04:28,184 INFO No existing associations found for githubreponame, creating a new one
2022-02-17 05:07:43,485 ERROR Exception occurred while associating the repository
Traceback (most recent call last):
botocore.exceptions.WaiterError: Waiter RepositoryAssociationSucceeded failed: Max attempts exceeded. Previously accepted state: For expression "RepositoryAssociation.State" we matched expected path: "Associating"
2022-02-17 05:07:43,485 ERROR Exception occurred while executing
botocore.exceptions.WaiterError: Waiter RepositoryAssociationSucceeded failed: Max attempts exceeded. Previously accepted state: For expression "RepositoryAssociation.State" we matched expected path: "Associating"

Running aws codeguru-reviewer list-repository-associations I can see:

{
    "RepositoryAssociationSummaries": [
        {
            "AssociationArn": "arn:aws:codeguru-reviewer:ap-southeast-2:123456789012:association:abcde123-abcde123-abcde123-abcde123",
            "LastUpdatedTimeStamp": "2022-02-17T15:04:30.371000+10:00",
            "AssociationId": "abcde123-abcde123-abcde123-abcde123",
            "Name": "githubreponame",
            "Owner": "123456789012",
            "ProviderType": "S3Bucket",
            "State": "Failed"
        }
    ]
}

c362ab33f30596d08f93abc44645e78790c1171c

Originally posted by @will234 in google/leveldb#1024 (comment)

J

a5c3785ed8d6a35868bc169f07e40e889087fd2e

GitHub Action linking incorrect repository source on CodeGuru CI Workflow?

After associating a GitHub repository to CodeGuru, using aws-actions/[email protected], I can see that a new CI Workflow is created in the CodeGuru GUI.

When I look at the workflow name, the Workflow name link takes me to https://s3.console.aws.amazon.com/s3/buckets/my-org-my-repo?region=us-east-1

Is there any way to change this workflow name link from the CodeGuru GUI to direct me to the GitHub repository page, or somewhere different? That s3 bucket does not exist, and the link seems to be generated based on a combination of my-org and my-repo.

Ability to change the path of the code

It would be great if we can configure the path of the source code it's going to scan. It seems like it's a limitation per this link in the docs and when I have my code in a folder called lambdas it shows me 0 lines of code scanned.

The source_path is assumed to be the root of the repository (e.g. ".").

TMONROE81

CodeGuru Review step fails with strange error

Hi,

I have a repository containing a java backend as well as a vue.js frontend.
Initially, I'd like to get the reviews working and have configured the following:

      - name: CodeGuru Reviewer
        uses: aws-actions/[email protected]
        with:
          build_path: ${{ env.BACK_END_WORKING_DIR }}/target
          s3_bucket: codeguru-reviewer-mybucket

However, I get the following error:

2021-07-14 02:23:38,374 ERROR Exception occurred while executing
ValueError: ZIP does not support timestamps before 1980

It seems like this is coming from some of my node_modules dependencies from my frontend, however I'm not sure why it would even be trying to zip these files together considering I gave the path to my backend target which should just contain my backend java classes and jar file etc.

As a test, if I run an intermediate step to 'touch' all the files with a broken modified time, it continues but then I get this error:

2021-07-14 02:42:57,855 INFO All files zipped successfully
2021-07-14 02:42:57,855 INFO File generated at path /github/workspace/source.zip with size: 295333246 bytes
2021-07-14 02:43:08,339 INFO build_root: ./backend/target
2021-07-14 02:43:12,511 INFO All files zipped successfully
2021-07-14 02:43:12,512 INFO File generated at path /github/workspace/build.zip with size: 104034766 bytes
2021-07-14 02:43:19,071 ERROR Exception occurred while submitting the code review request
Traceback (most recent call last):
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the CreateCodeReview operation: You don't have access to GUID-HERE/source.zip or it doesn't exist.
2021-07-14 02:43:19,072 ERROR Exception occurred while executing
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the CreateCodeReview operation: You don't have access to GUID-HERE/source.zip or it doesn't exist.

My ci-cd user has the AmazonCodeGuruReviewerFullAccess policy attached and full access to the S3 bucket as well.
I have added debug on for the step/action but this is all the information I get.
I'm a little stuck here, can someone point me in the right direction?

Regards,
Terry

Broken links for bandit suggestions in codeguru results

The bandit suggestions after codeguru analysis for api usage recommendations are display with broken links.

Example:
Consider possible security implications associated with subprocess module. [https://bandit.readthedocs.io/en/latest/blacklists/blacklist\_imports.html#b404-import-subprocess](https://bandit.readthedocs.io/en/latest/blacklists/blacklist%5C_imports.html#b404-import-subprocess)

The underscores are not handled correctly during link formatting. It would be great if this could be resolved.

So basically this should be:
Broken: https://bandit.readthedocs.io/en/latest/blacklists/blacklist\_imports.html#b404-import-subprocess
Fix: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess

K

a5c3785ed8d6a35868bc169f07e40e889087fd2e

Originally posted by @will234 in #19

Very Slow Reviewer Step

Not sure why it take us so long to run the CodeGuru Reviewer step in the action. I guess it's caused by the huge source.zip file size?
We have 250+MB of the source.zip. and 90% of the size is caused by .git folder.
I'm not sure why codeguru reviewer need to use the .git folder. Can anyone explain and solve it?