awslabs · scrthq · Jun 11, 2025 · Jun 6, 2025 · Jun 6, 2025 · Jun 7, 2025
@@ -1,16 +1,19 @@
 # yaml-language-server: $schema=../automated_security_helper/schemas/AshConfig.json
 project_name: automated-security-helper
 fail_on_findings: true
-# ash_plugin_modules:
-#   - automated_security_helper.plugin_modules.ash_aws_plugins
+ash_plugin_modules:
+  - automated_security_helper.plugin_modules.ash_aws_plugins
 external_reports_to_include: []
 global_settings:
   severity_threshold: MEDIUM
+  suppressions:
+    - path: docs/content/docs/testing/examples/*
+      reason: Documentation with test code examples focused on brevity.
+    - path: 'tests/test_data'
+      reason: This is test data that is used during unit testing only and is not part of the core application.
   ignore_paths:
     - path: 'automated_security_helper/assets/ASH_COMMIT*'
       reason: This file is generated by the build process and does not contain any secrets or sensitive information.
-    - path: 'tests/test_data'
-      reason: This is test data that is used during unit testing only and is not part of the core application.
     - path: 'tests/pytest-temp'
       reason: This is temporary data that is generated during unit testing only and is not part of the core application.
     - path: '.venv'
@@ -21,8 +24,6 @@ global_settings:
       reason: This file is generated by a corresponding Pydantic model and does not contain any secrets or sensitive information. Findings on this file are false positives and should be addressed on the related Pydantic models, not on this JSON file.
     - path: '**/automated_security_helper/schemas/AshConfig.json'
       reason: This file is generated by a corresponding Pydantic model and does not contain any secrets or sensitive information. Findings on this file are false positives and should be addressed on the related Pydantic models, not on this JSON file.
-    - path: '.ash/ash_output*/scanners'
-      reason: These are ash_output directories used for scans and are not committed to the repository or included in the package.
 reporters:
   asff:
     enabled: false

@@ -14,3 +14,5 @@ assert_used:
   skips:
     - "*/test_*.py"
     - "**/test_*.py"
+    - "*/utils/*.py"
+    - "**/utils/*.py"
@@ -0,0 +1,22 @@
+[run]
+source = automated_security_helper
+
+[report]
+# Show missing lines in reports
+show_missing = True
+# Fail if total coverage is below 64%
+fail_under = 64
+
+[html]
+directory = test-results/coverage_html
+title = ASH Coverage Report
+
+[xml]
+output = test-results/pytest.coverage.xml
+
+[json]
+output = test-results/pytest.coverage.json
+pretty_print = True
+
+[paths]
+source = automated_security_helper/**/*.py
@@ -74,9 +74,9 @@ jobs:
           #   method: python-container
           #   platform: windows/amd64
           ### Temp disabled to not impact others as this currently hangs
-          # - os: windows-latest
-          #   method: python-local
-          #   platform: windows/amd64
+          - os: windows-latest
+            method: python-local
+            platform: windows/amd64
 
     runs-on: ${{ matrix.os }}
     timeout-minutes: 15
@@ -136,23 +136,30 @@ jobs:
         # It should fail if there are findings in the scan, but that's a valid test for us still.
         shell: bash
         continue-on-error: true
+        timeout-minutes: 10
         run: |
           echo "Testing ASH using Python (Container) on ${{ matrix.os }} (${{ matrix.platform }})"
+          echo "ASH Version:"
           ash --version
+          echo "ASH Help:"
           ash --help
-          ash scan --mode=container --build-target ci --source-dir "$(pwd)" --output-dir "$(pwd)/.ash/ash_output" --verbose --no-progress  --config ./.ash/.ash_no_ignore.yaml
+          echo "ASH Scan Output:"
+          ash scan --mode container --build-target ci --verbose --no-progress  --config ./.ash/.ash_no_ignore.yaml
 
       - name: Validate ASH using Python Local
         if: matrix.method == 'python-local'
         # We're not worried if the scan failed, we are validating that it produces the outputs expected.
         # It should fail if there are findings in the scan, but that's a valid test for us still.
-        shell: bash
         continue-on-error: true
+        timeout-minutes: 4
         run: |
           echo "Testing ASH using Python (Local) on ${{ matrix.os }} (${{ matrix.platform }})"
+          echo "ASH Version:"
           ash --version
+          echo "ASH Help:"
           ash --help
-          ash scan --mode=local --source-dir "$(pwd)" --output-dir "$(pwd)/.ash/ash_output" --verbose --no-progress --config ./.ash/.ash_no_ignore.yaml
+          echo "ASH Scan Output:"
+          ash scan --mode local --build-target ci --verbose --no-progress --config ./.ash/.ash_no_ignore.yaml
 
       ############ PowerShell #########
 
@@ -162,6 +169,7 @@ jobs:
         # We're not worried if the scan failed, we are validating that it produces the outputs expected.
         # It should fail if there are findings in the scan, but that's a valid test for us still.
         continue-on-error: true
+        timeout-minutes: 10
         run: |
           Write-Host "Testing ASH using PowerShell on ${{ matrix.os }} (${{ matrix.platform }})"
           . ./utils/ash_helpers.ps1
@@ -174,14 +182,18 @@ jobs:
         # We're not worried if the scan failed, we are validating that it produces the outputs expected.
         # It should fail if there are findings in the scan, but that's a valid test for us still.
         continue-on-error: true
+        timeout-minutes: 10
         if: matrix.method == 'bash'
         shell: bash
         run: |
           echo "Testing ASH using Bash on ${{ matrix.os }} (${{ matrix.platform }})"
           chmod +x ./ash
+          echo "ASH Version:"
           ./ash --version
+          echo "ASH Help:"
           ./ash --help
-          ./ash --build-target ci --source-dir "$(pwd)" --output-dir "$(pwd)/.ash/ash_output" --verbose --debug --config ./.ash/.ash_no_ignore.yaml
+          echo "ASH Scan Output:"
+          ./ash --build-target ci --verbose --config ./.ash/.ash_no_ignore.yaml
 
 
       - name: Verify scan completed

@@ -98,7 +98,7 @@ jobs:
         shell: bash
         run: |-
           uvx --from $ASH_UVX_SOURCE ash \
-            --source-dir . --output-dir ${{ inputs.output-dir }} ${{ inputs.ash-args }} --build-target ci ${{ inputs.fail-on-findings == 'true' && '--fail-on-findings' || '--no-fail-on-findings'}} --mode ${{ inputs.ash-mode }} ${{ inputs.verbose && '--verbose' }}
+            --source-dir . --output-dir ${{ inputs.output-dir }} ${{ inputs.ash-args }} --no-progress --build-target ci ${{ inputs.fail-on-findings == 'true' && '--fail-on-findings' || '--no-fail-on-findings'}} --mode ${{ inputs.ash-mode }} ${{ inputs.verbose && '--verbose' }}
 
       - name: Show ASH Summary Report
         if: success() || failure()

@@ -1,3 +1,8 @@
+# TEMP
+/automated_security_helper/identifiers/
+/fix_*.py
+
+# ASH Ignores
 utils/cfn-to-cdk/cfn_to_cdk/
 utils/cfn-to-cdk/cdk.out/
 /**/aggregated_results.txt
@@ -14,6 +19,7 @@ test_output.json
 tests/pytest-temp/
 output/
 .*q/
+.kir*/
 /Amazon*.md
 .envrc
 utils/try*.sh

@@ -50,7 +50,7 @@ repos:
           ## REQUIRED ARGS
           # N/A - ASH pre-commit hooks include `--mode=precommit` by default.
           # The only ARGS needed are custom args past what is available by default.
-
+          #
           ## EXTRA ARGS (these are specific to this repo's usage of the hook and are not required)
           # Default behavior is to fail if any actionable findings are found.
           # We are working through resolution right now while still needing

@@ -9,9 +9,11 @@
     },
     {
       "args": [
-        "--verbose"
+        "--verbose",
+        "--scanners",
+        "detect-secrets"
       ],
-      "console": "integratedTerminal",
+      "console": "internalConsole",
       "env": {
         "PATH": "${workspaceFolder}/.venv/bin:/opt/homebrew/bin:~/.local/share/mise/installs/node/20.19.0/bin:${env.PATH}"
       },
@@ -28,7 +30,7 @@
         "--config",
         "${workspaceFolder}/.ash/.ash.yaml"
       ],
-      "console": "integratedTerminal",
+      "console": "internalConsole",
       "env": {
         "PATH": "${workspaceFolder}/.venv/bin:/opt/homebrew/bin:~/.local/share/mise/installs/node/20.19.0/bin:${env.PATH}"
       },
@@ -39,14 +41,14 @@
     },
     {
       "args": [],
-      "console": "integratedTerminal",
+      "console": "internalConsole",
       "name": "ASH: Test CDK Nag Headless Wrapper",
       "program": "./automated_security_helper/utils/cdk_nag_wrapper.py",
       "request": "launch",
       "type": "debugpy"
     },
     {
-      "console": "integratedTerminal",
+      "console": "internalConsole",
       "env": {
         "_PYTEST_RAISE": "1"
       },

@@ -1,5 +1,5 @@
 #checkov:skip=CKV_DOCKER_7:Base image is using a non-latest version tag by default, Checkov is unable to parse due to the use of ARG
-ARG BASE_IMAGE=public.ecr.aws/docker/library/python:3.10-bullseye
+ARG BASE_IMAGE=public.ecr.aws/docker/library/python:3.12-bullseye
 
 # First stage: Build poetry requirements
 FROM ${BASE_IMAGE} AS poetry-reqs
@@ -193,12 +193,6 @@ ENV _ASH_EXEC_MODE="local"
 RUN ash dependencies install --bin-path "${ASH_BIN_PATH}"
 ENV PATH="${ASH_BIN_PATH}:$PATH"
 
-#
-# Explicit Semgrep install to resolve underlying dependency
-# resolution issues when running inside the container
-#
-RUN python3 -m pip install semgrep --force
-
 #
 # Flag ASH as running in container to prevent ProgressBar panel from showing (causes output blocking)
 #