diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml index b960c3fa2..4c2eace7b 100644 --- a/.github/workflows/aws-ci.yml +++ b/.github/workflows/aws-ci.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure Load Balancer Credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }} role-duration-seconds: 7200 @@ -29,7 +29,7 @@ jobs: $roleArn=$(cat ./response.json) "roleArn=$($roleArn -replace '"', '')" >> $env:GITHUB_OUTPUT - name: Configure Test Runner Credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ steps.lambda.outputs.roleArn }} role-duration-seconds: 7200 @@ -41,7 +41,7 @@ jobs: project-name: ${{ secrets.CI_TESTING_CODE_BUILD_PROJECT_NAME }} - name: Configure Test Sweeper Lambda Credentials if: always() - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ steps.lambda.outputs.roleArn }} role-duration-seconds: 7200 diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 7204e3101..7a1b4d90d 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -12,11 +12,11 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get List of Changed Files id: changed-files - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf #v45 + uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v45 - name: Check for Change File(s) in .autover/changes/ run: | diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 3691dead6..bceb11297 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 2f70cbf28..d78c0b4bc 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -31,14 +31,14 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index 1ae557e76..4d785c99d 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -5,7 +5,7 @@ on: pull_request: push: - branches: ["dev", "main"] + branches: ["dev", "master"] schedule: - cron: '23 20 * * 1' @@ -35,7 +35,7 @@ jobs: p/owasp-top-ten - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 with: sarif_file: semgrep.sarif - if: always() \ No newline at end of file + if: always() diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml index eb0a3ae65..c50e20a05 100644 --- a/.github/workflows/sync-master-dev.yml +++ b/.github/workflows/sync-master-dev.yml @@ -32,14 +32,14 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: dev fetch-depth: 0 @@ -111,7 +111,7 @@ jobs: steps: # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: releases/next-release fetch-depth: 0 diff --git a/.github/workflows/update-Dockerfiles.yml b/.github/workflows/update-Dockerfiles.yml index 03846fb0d..18141b8a2 100644 --- a/.github/workflows/update-Dockerfiles.yml +++ b/.github/workflows/update-Dockerfiles.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: 'dev' diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..5a02b9ea5 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,15 @@ +# Ignore test and example files containing dummy credentials +**/test/**/*.json +**/tests/**/*.json +**/SampleRequests/**/*.json +**/*.example.* +**/*.test.* +**/*.min.js +**/env.configs.yml + +# Ignore third-party libraries +**/node_modules/** +**/vendor/** +**/dist/** +**/build/** +**/bootstrap/**/*.js diff --git a/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile b/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile index 755f2f08e..653983f67 100644 --- a/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile +++ b/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile @@ -17,4 +17,7 @@ RUN dotnet publish "Sample.csproj" -c Release -o /app/publish FROM base AS final COPY --from=publish /app/publish ${LAMBDA_TASK_ROOT} # ref. https://docs.aws.amazon.com/lambda/latest/dg/csharp-handler.html#csharp-handler-signatures +# Create a non-root user and switch to it +RUN adduser --disabled-password --gecos "" appuser +USER appuser CMD [ "Sample::Sample.Function::FunctionHandler" ] diff --git a/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs b/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs index c426f48eb..f46a17800 100644 --- a/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs +++ b/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs @@ -7,7 +7,7 @@ namespace Amazon.Lambda.Annotations /// can be injected into Lambda functions. /// /// - /// The class should implement a ConfigureServices method that + /// The class should implement a ConfigureHostBuilder method (recommended) or ConfigureServices (legacy) that /// adds one or more services to an IServiceCollection. /// [AttributeUsage(AttributeTargets.Class)] diff --git a/Libraries/test/TestServerlessApp/serverless.template b/Libraries/test/TestServerlessApp/serverless.template index 06d788b8f..fc39db53e 100644 --- a/Libraries/test/TestServerlessApp/serverless.template +++ b/Libraries/test/TestServerlessApp/serverless.template @@ -18,7 +18,11 @@ { "Ref": "ArchitectureTypeParameter" } - ] + ], + "Tags": { + "aws-tests": "TestServerlessApp", + "aws-repo": "aws-lambda-dotnet" + } } }, "Resources": {