feat(docs, aws reporters): Lots of doc updates, also added BedrockSum…

[scrthq]

…maryReporter and S3Reporter bases (mostly working, some small changes needed still)

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[github-actions]

ASH Security Scan Report

• Report generated: 2025-06-11T02:22:16+00:00
• Time since scan: 1 minute

Scan Metadata

• Project: ASH
• Scan executed: 2025-06-11T02:20:25+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

• Severity levels: Suppressed (S), Critical (C), High (H), Medium (M), Low (L), Info (I)
• Duration (Time): Time taken by the scanner to complete its execution
• Actionable: Number of findings at or above the threshold severity level
• Result:
  • ✅ PASSED = No findings at or above threshold
  • ❌ FAILED = Findings at or above threshold
  • ⚠️ MISSING = Required dependencies not available
  • ⏭️ SKIPPED = Scanner explicitly disabled
• Threshold: The minimum severity level that will cause a scanner to fail (ALL, LOW, MEDIUM, HIGH, CRITICAL)
  • Values in parentheses indicate where the threshold is set in order of precedence:
    • env (ASH_SEVERITY_THRESHOLD environment variable)
    • config (scanner config section in the ASH_CONFIG used)
    • scanner (default configuration in the plugin, if explicitly set)
    • global (global_settings section in the ASH_CONFIG used)
• Note: Suppressed findings are counted separately and do not contribute to actionable findings

Scanner	Suppressed	Critical	High	Medium	Low	Info	Actionable	Result	Threshold
bandit	0	0	5	0	58	0	5	❌ Failed	MEDIUM (global)
cdk-nag	0	0	30	0	0	5	30	❌ Failed	MEDIUM (global)
cfn-nag	0	0	0	9	0	0	9	❌ Failed	MEDIUM (global)
checkov	1	0	25	0	0	0	25	❌ Failed	MEDIUM (global)
detect-secrets	0	0	72	0	0	0	72	❌ Failed	MEDIUM (global)
grype	0	0	2	1	0	0	3	❌ Failed	MEDIUM (global)
npm-audit	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
opengrep	9	0	21	0	0	0	21	❌ Failed	MEDIUM (global)
semgrep	0	0	10	0	0	0	10	❌ Failed	MEDIUM (global)
syft	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)

Top 10 Hotspots

Files with the highest number of security findings:

Finding Count	File Location
40	tests/test_data/scanners/syft/syft.src.json
39	tests/test_data/scanners/cdk/insecure-s3-template.yaml
24	/out/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py
12	tests/test_data/scanners/grype/grype.src.json
10	tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/cfn-and-python-test-yaml.template.json
10	tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/test-yaml.template.json
10	tests/test_data/scanners/grype/grype.src.ash_output.work.json
10	.ash/ash_output/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py
4	tests/test_data/scanners/checkov/src.js.docker.Dockerfile.json
3	poetry.lock

Detailed Findings

Show 20 of 175 actionable findings

Finding 1: B108

• Severity: HIGH
• Scanner: bandit
• Rule ID: B108
• Location: tests/unit/utils/test_sarif_utils_extended.py:136-138

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

sarif = create_test_sarif()
    invocation = {"command_line": "scanner --scan file.py", "working_directory": "/tmp"}

---

Finding 2: B301

• Severity: HIGH
• Scanner: bandit
• Rule ID: B301
• Location: /out/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py:202-204

Description:
Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

Code Snippet:

pick = dill.dumps({"a": "b", "c": "d"})
print(dill.loads(pick))

---

Finding 3: B301

• Severity: HIGH
• Scanner: bandit
• Rule ID: B301
• Location: /out/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py:207-209

Description:
Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

Code Snippet:

file_obj.seek(0)
print(dill.load(file_obj))

---

Finding 4: B301

• Severity: HIGH
• Scanner: bandit
• Rule ID: B301
• Location: /out/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py:226-228

Description:
Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

Code Snippet:

pick = dill.dumps({"a": "b", "c": "d"})
print(dill.loads(pick))

---

Finding 5: B301

• Severity: HIGH
• Scanner: bandit
• Rule ID: B301
• Location: /out/converted/jupyter/tests__test_data__finding_samples__ipynb__ipynb.py:231-233

Description:
Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

Code Snippet:

file_obj.seek(0)
print(dill.load(file_obj))

---

Finding 6: SECRET-SECRET-KEYWORD

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-SECRET-KEYWORD
• Location: docs/content/docs/plugins/aws/index.md:143

Description:
Secret of type 'Secret Keyword' detected in file 'docs/content/docs/plugins/aws/index.md' at line 143

Code Snippet:

Secret of type Secret Keyword detected

---

Finding 7: SECRET-SECRET-KEYWORD

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-SECRET-KEYWORD
• Location: docs/content/docs/plugins/development-guide.md:439

Description:
Secret of type 'Secret Keyword' detected in file 'docs/content/docs/plugins/development-guide.md' at line 439

Code Snippet:

Secret of type Secret Keyword detected

---

Finding 8: SECRET-BASE64-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/cfn-and-python-test-yaml.template.json:283

Description:
Secret of type 'Base64 High Entropy String' detected in file 'tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/cfn-and-python-test-yaml.template.json' at line 283

Code Snippet:

Secret of type Base64 High Entropy String detected

---

Finding 9: SECRET-BASE64-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/test-yaml.template.json:283

Description:
Secret of type 'Base64 High Entropy String' detected in file 'tests/test_data/scanners/cdk/test.yaml_cdk_nag_results/test-yaml.template.json' at line 283

Code Snippet:

Secret of type Base64 High Entropy String detected

---

Finding 10: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:188

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 188

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 11: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:208

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 208

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 12: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:176

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 176

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 13: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:180

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 180

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 14: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:156

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 156

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 15: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:164

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 164

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 16: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:200

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 200

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 17: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:172

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 172

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 18: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:160

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 160

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 19: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.ash_output.work.json:184

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.ash_output.work.json' at line 184

Code Snippet:

Secret of type Hex High Entropy String detected

---

Finding 20: SECRET-HEX-HIGH-ENTROPY-STRING

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
• Location: tests/test_data/scanners/grype/grype.src.json:164

Description:
Secret of type 'Hex High Entropy String' detected in file 'tests/test_data/scanners/grype/grype.src.json' at line 164

Code Snippet:

Secret of type Hex High Entropy String detected

Note: Showing 20 of 175 total actionable findings. Configure max_detailed_findings to adjust this limit.

---

Report generated by Automated Security Helper (ASH) at 2025-06-11T02:22:16+00:00

[github-advanced-security]

AWS Labs - Automated Security Helper found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.