feat(ci): added resusable "Run ASH Scan" workflow

[scrthq]

Usage:

name: Run ASH
on:
  push:
    branches:
      - "*"
    tags:
      - "*"
  pull_request:
    branches:
      - "*"
  workflow_dispatch: {}
env:
  PYTHON_VERSION: "3.12"
jobs:
  ash:
    permissions:
      contents: read
      checks: write
      security-events: write
      pull-requests: write
      statuses: write
    uses: awslabs/automated-security-helper/.github/workflows/run-ash-security-scan.yml@beta
    with:
      fail-on-findings: true
      post-pr-comment: true

[github-actions]

ASH Security Scan Report

• Report generated: 2025-05-21T23:21:18+00:00
• Time since scan: 1 minute

Scan Metadata

• Project: ASH
• Scan executed: 2025-05-21T23:19:53+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

• Severity levels: Suppressed (S), Critical (C), High (H), Medium (M), Low (L), Info (I)
• Duration (Time): Time taken by the scanner to complete its execution
• Actionable: Number of findings at or above the threshold severity level
• Result:
  • ✅ PASSED = No findings at or above threshold
  • ❌ FAILED = Findings at or above threshold
  • ⚠️ MISSING = Required dependencies not available
  • ⏭️ SKIPPED = Scanner explicitly disabled
• Threshold: The minimum severity level that will cause a scanner to fail (ALL, LOW, MEDIUM, HIGH, CRITICAL)
  • Values in parentheses indicate where the threshold is set in order of precedence:
    • env (ASH_SEVERITY_THRESHOLD environment variable)
    • config (scanner config section in the ASH_CONFIG used)
    • scanner (default configuration in the plugin, if explicitly set)
    • global (global_settings section in the ASH_CONFIG used)
• Note: Suppressed findings are counted separately and do not contribute to actionable findings

Scanner	Suppressed	Critical	High	Medium	Low	Info	Actionable	Result	Threshold
bandit	0	0	0	0	1	0	0	✅ Passed	MEDIUM (global)
cdk-nag	35	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
cfn-nag	9	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
checkov	21	0	5	0	0	0	5	❌ Failed	MEDIUM (global)
detect-secrets	70	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
grype	0	0	3	0	0	0	3	❌ Failed	MEDIUM (global)
npm-audit	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
opengrep	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
semgrep	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)
syft	0	0	0	0	0	0	0	✅ Passed	MEDIUM (global)

Top 6 Hotspots

Files with the highest number of security findings:

Finding Count	File Location
3	poetry.lock
1	.github/workflows/ash-repo-scan-validation.yml
1	.github/workflows/ash-repo-scan.yml
1	.github/workflows/ash-repo-unit-tests.yml
1	docs/content/tutorials/CI/GitHubActions/.github/workflows/run-ash-scan.yml
1	docs/content/tutorials/CI/AzurePipelines/azure-pipelines.yml

Detailed Findings

Show 8 actionable findings

Finding 1: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: .github/workflows/ash-repo-scan-validation.yml:1-2

Description:
Ensure top-level permissions are not set to write-all

---

Finding 2: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: .github/workflows/ash-repo-scan.yml:1-2

Description:
Ensure top-level permissions are not set to write-all

---

Finding 3: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: .github/workflows/ash-repo-unit-tests.yml:1-2

Description:
Ensure top-level permissions are not set to write-all

---

Finding 4: CKV2_GHA_1

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_GHA_1
• Location: docs/content/tutorials/CI/GitHubActions/.github/workflows/run-ash-scan.yml:1

Description:
Ensure top-level permissions are not set to write-all

---

Finding 5: CKV_AZUREPIPELINES_2

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AZUREPIPELINES_2
• Location: docs/content/tutorials/CI/AzurePipelines/azure-pipelines.yml:32-47

Description:
Ensure container job uses a version digest

Code Snippet:

- job: scanInContainerJob
    container: ${{ variables.ASH_IMAGE_REPO }}:${{ variables.ASH_IMAGE_TAG }}
    displayName: Run ASH in Container Job
    steps:
      - checkout: self
      - script: |
          ash \
            --source-dir "$(pwd)" \
            --output-dir "${{ variables.ASH_OUTPUT_PATH }}"
        name: runash
        displayName: Run ASH scan
      - publish: ${{ variables.ASH_OUTPUT_PATH }}
        artifact: ${{ variables.ASH_OUTPUT_PATH }}
        condition: succeededOrFailed()

---

Finding 6: GHSA-7cx3-6m66-7c5m-tornado

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-7cx3-6m66-7c5m-tornado
• Location: poetry.lock:1

Description:
A high vulnerability in python package: tornado, version 6.4.2 was found at: /poetry.lock

---

Finding 7: GHSA-3wwr-3g9f-9gc7-asteval

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-3wwr-3g9f-9gc7-asteval
• Location: poetry.lock:1

Description:
A high vulnerability in python package: asteval, version 1.0.5 was found at: /poetry.lock

---

Finding 8: GHSA-vp47-9734-prjw-asteval

• Severity: HIGH
• Scanner: grype
• Rule ID: GHSA-vp47-9734-prjw-asteval
• Location: poetry.lock:1

Description:
A high vulnerability in python package: asteval, version 1.0.5 was found at: /poetry.lock

---

Report generated by Automated Security Helper (ASH) at 2025-05-21T23:21:18+00:00