Documented the justification for the CodeQL alert

sdangol · sdangol · commit 927e00aedcef · 2025-08-22T09:28:16.000+01:00
diff --git a/.github/workflows/layers_partition_verify.yml b/.github/workflows/layers_partition_verify.yml
@@ -1,6 +1,14 @@
 # Partition Layer Verification
 # ---
 # This workflow queries the Partition layer info in production only
+#
+# CodeQL Security Note:
+# This workflow uses dynamic secret access via secrets[format(...)] which triggers
+# an "Excessive Secrets Exposure" alert. However, this is safe because:
+# - Secrets are scoped per environment (China/GovCloud Gamma/Prod)
+# - Each job only accesses secrets for its specific partition and region
+# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
+# - The secrets object is already minimally scoped to the environment being used
 
 on:
   workflow_dispatch:
@@ -102,7 +110,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    # Environment should interperlate as "GovCloud Prod" or "China Beta"
+    # Environment should interpolate as "GovCloud Prod" or "China Beta"
     environment: ${{ inputs.partition }} ${{ inputs.environment }}
     strategy:
       matrix:
@@ -118,6 +126,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
+          # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           aws-region: ${{ matrix.region}}
           mask-aws-account-id: true
@@ -129,6 +138,7 @@ jobs:
       - name: Verify Layer
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          # Dynamic secret access is safe here - secrets are scoped per environment
           aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
diff --git a/.github/workflows/layers_partitions.yml b/.github/workflows/layers_partitions.yml
@@ -15,6 +15,14 @@
 # 1. After the `make-release` workflow finishes and the PR for the documentation update gets created, trigger this workflow manually via `workflow_dispatch` with environment, version, and partition inputs for each Gamma and Prod environment in the China and GovCloud partitions
 # 2. Monitor deployment progress and verify successful layer publication across all target regions
 # 3. Once this workflow is completed, the PR for the documentation update can me merged
+#
+# CodeQL Security Note:
+# This workflow uses dynamic secret access via secrets[format(...)] which triggers
+# an "Excessive Secrets Exposure" alert. However, this is safe because:
+# - Secrets are scoped per environment (China/GovCloud Gamma/Prod)
+# - Each job only accesses secrets for its specific partition and region
+# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
+# - The secrets object is already minimally scoped to the environment being used
 
 on:
   workflow_dispatch:
@@ -142,6 +150,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
+          # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           aws-region: ${{ matrix.region}}
           mask-aws-account-id: true
@@ -175,6 +184,7 @@ jobs:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          # Dynamic secret access is safe here - secrets are scoped per environment
           aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml
@@ -11,6 +11,14 @@
 #   /aws/service/powertools/python/arm64/python3.8/3.1.0
 # And will have a value of:
 #   arn:aws:lambda:eu-west-1:094274105915:layer:AWSLambdaPowertoolsPythonV3-python38-arm64:4
+#
+# CodeQL Security Note:
+# This workflow uses dynamic secret access via secrets[format(...)] which triggers
+# an "Excessive Secrets Exposure" alert. However, this is safe because:
+# - Secrets are scoped per environment (SSM)
+# - Each job only accesses secrets for SSM
+# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
+# - The secrets object is already minimally scoped to the environment being used
 
 on:
   workflow_dispatch:
@@ -96,6 +104,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
         with:
           aws-region: ${{ matrix.region }}
+          # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           mask-aws-account-id: true
       - id: write-version
