Skip to content

fix(config): updated config schema to not include optional modules by default #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 24, 2025
Merged

fix(config): updated config schema to not include optional modules by default #148

merged 2 commits into from
May 24, 2025

Conversation

scrthq
Copy link
Contributor

@scrthq scrthq commented May 23, 2025

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 23, 2025
edited
Loading

ASH Security Scan Report

  • Report generated: 2025-05-23T23:28:23+00:00
  • Time since scan: 1 minute

Scan Metadata

  • Project: ASH
  • Scan executed: 2025-05-23T23:27:00+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels: Suppressed (S), Critical (C), High (H), Medium (M), Low (L), Info (I)
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • ⚠️ MISSING = Required dependencies not available
    • ⏭️ SKIPPED = Scanner explicitly disabled
  • Threshold: The minimum severity level that will cause a scanner to fail (ALL, LOW, MEDIUM, HIGH, CRITICAL)
    • Values in parentheses indicate where the threshold is set in order of precedence:
      • env (ASH_SEVERITY_THRESHOLD environment variable)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
      • global (global_settings section in the ASH_CONFIG used)
  • Note: Suppressed findings are counted separately and do not contribute to actionable findings
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 1 0 0 ✅ Passed MEDIUM (global)
cdk-nag 35 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
cfn-nag 9 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
checkov 21 0 5 0 0 0 5 ❌ Failed MEDIUM (global)
detect-secrets 70 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
grype 0 0 3 0 0 0 3 ❌ Failed MEDIUM (global)
npm-audit 0 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
opengrep 0 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
semgrep 0 0 0 0 0 0 0 ✅ Passed MEDIUM (global)
syft 0 0 0 0 0 0 0 ✅ Passed MEDIUM (global)

Top 6 Hotspots

Files with the highest number of security findings:

Finding Count File Location
3 poetry.lock
1 .github/workflows/ash-repo-scan-validation.yml
1 .github/workflows/ash-repo-scan.yml
1 .github/workflows/ash-repo-unit-tests.yml
1 docs/content/tutorials/CI/GitHubActions/.github/workflows/run-ash-scan.yml
1 docs/content/tutorials/CI/AzurePipelines/azure-pipelines.yml

Detailed Findings

Show 8 actionable findings

Finding 1: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/ash-repo-scan-validation.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 2: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/ash-repo-scan.yml:1-2

Description:
Ensure top-level permissions are not set to write-all

Finding 3: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: .github/workflows/ash-repo-unit-tests.yml:1-2

Description:
Ensure top-level permissions are not set to write-all

Finding 4: CKV2_GHA_1

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV2_GHA_1
  • Location: docs/content/tutorials/CI/GitHubActions/.github/workflows/run-ash-scan.yml:1

Description:
Ensure top-level permissions are not set to write-all

Finding 5: CKV_AZUREPIPELINES_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AZUREPIPELINES_2
  • Location: docs/content/tutorials/CI/AzurePipelines/azure-pipelines.yml:32-47

Description:
Ensure container job uses a version digest

Code Snippet:

- job: scanInContainerJob
    container: ${{ variables.ASH_IMAGE_REPO }}:${{ variables.ASH_IMAGE_TAG }}
    displayName: Run ASH in Container Job
    steps:
      - checkout: self
      - script: |
          ash \
            --source-dir "$(pwd)" \
            --output-dir "${{ variables.ASH_OUTPUT_PATH }}"
        name: runash
        displayName: Run ASH scan
      - publish: ${{ variables.ASH_OUTPUT_PATH }}
        artifact: ${{ variables.ASH_OUTPUT_PATH }}
        condition: succeededOrFailed()

Finding 6: GHSA-7cx3-6m66-7c5m-tornado

Description:
A high vulnerability in python package: tornado, version 6.4.2 was found at: /poetry.lock

Finding 7: GHSA-3wwr-3g9f-9gc7-asteval

Description:
A high vulnerability in python package: asteval, version 1.0.5 was found at: /poetry.lock

Finding 8: GHSA-vp47-9734-prjw-asteval

Description:
A high vulnerability in python package: asteval, version 1.0.5 was found at: /poetry.lock

Report generated by Automated Security Helper (ASH) at 2025-05-23T23:28:23+00:00

@scrthq scrthq merged commit 00545dd into beta May 24, 2025
37 of 38 checks passed
@scrthq scrthq deleted the feat/v3/cleanup-workflow branch May 24, 2025 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@scrthq