- v2.0.1
- v2.0.0
- v1.5.1
- v1.5.0
- v1.4.1
- v1.4.0
- v1.3.3
- v1.3.2
- 1.3.0 - 2024-04-17
- 1.2.0-e-06Mar2024
- 1.1.0-e-01Dec2023
- 1.0.9-e-16May2023
- 1.0.8-e-03May2023
- 1.0.5-e-06Mar2023
- 1.0.1-e-10Jan2023
- Fix handling of Bandit config files in util script
- Building ASH images for use in CI platforms (or other orchestration platforms that may require elevated access within the container) now requires targeting the
cistage of theDockerfile:
via ash CLI
ash --no-run --build-target civia docker or other OCI CLI
docker build --tag automated-security-helper:ci --target ci .- Run ASH as non-root user to align with security best practices.
- Create a CI version of the docker file that still runs as root to comply with the different requirements from building platforms where UID/GID cannot be modified and there are additional agents installed at runtime that requires elevated privileges.
- Offline mode now skips NPM/PNPM/Yarn Audit checks (requires connection to registry to pull package information)
- NPM install during image build now restricts available memory to prevent segmentation fault
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/v1.5.1...v2.0.0
- Fix SHELL directive in Dockerfile
- Fix small items in Mkdocs config
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/v1.5.0...v1.5.1
- Introduced support for offline execution via
--offline
- @awsmadi made their first contribution in #104
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/v1.4.1...v1.5.0
- Fixed line endings on relevant files from CRLF to LF to resolve Windows build issues
- Adds
--formatparameter toash/ash-multiscripts to enable additional output integrations, beginning with ASHARP (Automated Security Helper Aggregated Report Parser) as the intermediary data model to enable subsequent conversion from there. - Adds
automated_security_helperPython code as a module of the same name from within newsrcdirectory, including poetry.lock and pyproject.toml files to support. This module includes theasharpscript (CLI tool) that enabled programmatic parsing of the aggregated_results content in conjunction with the JSON output changes. - Adds pre-stage build of
automated_security_helpermodule to Dockerfile - Adds support to handle when
--formatis a value other than the current default oftextso scanners switch output to programmatically parseable output formats andasharpis called to parse theaggregated_results.txtfile intoaggregated_results.txt.json. - Moved source of version string truth into
pyproject.tomlfor all projects, removed__version__file to coincide with this.
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/v1.3.3...v1.4.0
- fix(ash): adjust where/when output-dir is created, if necessary by @climbertjh2 in #74
- fix(ash): set execute permission on ash script in the container by @climbertjh2 in #81
- fix: update version file to match release tag format in github.com by @climbertjh2 in #84
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/v1.3.2...v1.3.3
- added get-scan-set.py to utils scripts to return a list of non-ignored files for processing by @scrthq in #47
- fix/codebuild shared bindmount issue by @scrthq in #49
- fix error in reflecting return code in ash script by @climbertjh2 in #51
- Issue 58: missing double quotes by @awsntheule in #64
- fixed cdk nag scanner, added unique stack names based on input filenames. corrected guards on git clone calls within the scanner scripts to ensure those happen in the container image by @scrthq in #54
- Add support for pnpm audit by @awsntheule in #66
- fix(cdk-nag-scan): copy output files to separate folders by @climbertjh2 in #69
- fix(ash): use /tmp rather than tmpfs for scratch area by @climbertjh2 in #73
- Fix CTRL-C cancelling by @awsntheule in #71
- @awsntheule made their first contribution in #64
Full Changelog: https://github.com/awslabs/automated-security-helper/compare/1.2.0-e-06Mar2024...v1.3.2
- New version scheme introduced, moving ASH to SemVer alignment for versioning releases
- Moved version number to standalone
__version__file for easier version maintainability - Added ripgrep to replace
grepon thecdk-docker-execute.shscript for speed as well as to respect.gitignore/.ignorefile specifications automatically. Implementedripgrepfor the intended purposes. - Updated
cdk-docker-execute.shscript to create a unique internal stack name per imported-and-scanned CloudFormation template.
- Removed extraneous
git clonecalls into the temporary${_ASH_RUN_DIR}now that single container is the primary use case to prevent collisions and spending time on repeat tasks during scans.
- Added better support for debug logging via
--debugflag. - Added new
debug_show_treefunction toutils/common.shfor easy debugging insertion of a tree call at any point in the scan to see repository contents - Improved functionality of
utils/get-scan-set.pyscript to generate the ignore spec and initial scan set to file in the output directory
- Changes default base image in the root Dockerfile from
public.ecr.aws/bitnami/python:3.10topublic.ecr.aws/docker/library/python:3.10-bullseyeto allow builds for linux/arm64 platforms to work ashscript has been renamed toash-multiif multi-container architecture is needed from local. When running in the single-container, this is copied in asashitself and becomes the entrypoint of the in-container run to prevent API changes for CI invocations.- New
ashscript for local invocation entrypoint is now defaulting to building the single-container image and running the scan within as normal - Printed output path of the
aggregated_results.txtnow shows the correct, local output path when using the single container instead of/out/aggregated_results.txt - Updated GitHub Actions workflow for the repo to invoke ASH using the
ashscript as well to validate the entire experience end-to-end - Deprecated
--finch|-foption with warning indicating to use--oci-runner finch|-o finchif needing to use Finch explicitly
- Introduced single-container architecture via single Dockerfile in the repo root
- Updated
utils/*.shandashshell scripts to support running within a single container - Added new
ash_helpers.{sh,ps1}scripts to support building and running the new container image
- Updated
- Changed CDK Nag scanning to use TypeScript instead of Python in order to reduce the number of dependencies
- Changed identification of files to scan from
findtogit ls-filesfor Git repositories in order to reduce the number of files scanned and to avoid scanning files that are not tracked by Git - Updated the multi-container Dockerfiles to be compatible with the script updates and retain backwards compatibility
- Updated ASH documentation and README content to reflect the changes and improve the user experience
- Added simple image build workflow configured as a required status check for PRs
- Changed YAML scanning (presumed CloudFormation templates) to look for CloudFormation template files explicitly, and excluding some well known folders added additional files that checkov knows how to scan to the list of CloudFormation templates (Dockerfiles, .gitlab-ci.yml)
- Re-factored CDK scanning in several ways:
- Moved Python package install to the Dockerfile (container image build) so it's done once
- Removed code that doesn't do anything
- Added diagnostic information to report regarding the CDK version, Node version, and NPM packages installed.
- Fixed Semgrep exit code
- Cloud9 Quickstart
- Remove cdk virtual env
- README reformat
- Pre-commit hook guidance
- Fix Grype error code
- Minor bug fixes
- hardcoded Checkov config
- Fix return code for the different Docker containers
- Fix image for ARM based machines
- Added Finch support
ASH version 1.0.1-e-10Jan2023 is out!
- Speed - running time is shorter by 40-50%
- Frameworks support - we support Bash, Java, Go and C## code
- New tool - ASH is running Semgrep for supported frameworks
- Force scans for specific frameworks - You can use the
--extflag to enforce scan for specific framework For example:ash --source-dir . --ext py(Python) - Versioning - use
ash --versionto check your current version - Bug fixes and improvements