chore(upstream): pull latest changes from upstream awslabs/aidlc-workflows#1
Closed
chore(upstream): pull latest changes from upstream awslabs/aidlc-workflows#1
Conversation
context window size optimization by moving welcome message out of cor…
updated cloning instructions in readme
Changed Mermaid diagram colors for better contrast/readability
…indows-compatibility Updated setup instructions for Windows compatibility
…support Added support for multiple languages. Fix for issue awslabs#27.
Issue awslabs#30. Added code placement rules for greenfield/brownfield for monolith/microservice architectures
Fix for ASCII art diagrams line alignment issues
…aced in a new folder location to support wider variety of AI IDEs and plugins. Created initial alternate support model for Cline VS Code plugin
Feat/add aidlc skill
feat: addin
…nd report pipeline (awslabs#147) * fix: refactor CodeBuild evaluation and trend report pipeline - Add pull_request trigger so every PR runs evaluation + trend reports - Fix EVALUATOR_DIR to point to scripts/aidlc-evaluator - Fix docker sandbox build path (docker/sandbox/build.sh) - Fix run entry points to use run.py dispatcher (run.py test, run.py full) - Fix trend report module name (trend_reports, not trend_report) - Fix mkdir syntax error (trailing ". -> evaluation") - Direct trend report output via --output-dir to artifact directory - Add trend-reports unit tests to CI pipeline - Add retention-days: 1 to trend.zip upload for consistency - Remove stale TODO comments from inline buildspec * fix: resolve branch detection in CodeBuild and add act support * fix: remove unused Bedrock smoke-test invocation from buildspec * fix: fixing docker path * fix: removing discard path for secondary artifacts * fix: changing the discard path back to no --------- Co-authored-by: Jeff Harman <109810187+harmjeff@users.noreply.github.com>
Bumps [requests](https://github.com/psf/requests) from 2.32.5 to 2.33.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.5...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.6. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.5...46.0.6) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](pygments/pygments@2.19.2...2.20.0) --- updated-dependencies: - dependency-name: pygments dependency-version: 2.20.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* docs: comprehensive documentation review and remediation
Addresses ~33 issues identified across the repository documentation,
organized into 7 work streams covering correctness, consistency,
completeness, and style.
- Fix duplicate Step 1 heading in reverse-engineering.md; renumber
Steps 1-13 sequentially
- Fix incorrect loop-back reference in user-stories.md Step 18:
"return to Step 14" -> "return to Step 15" (Load Story Generation Plan)
- Fix broken cross-reference in process-overview.md: core-workflow.md
(does not exist in rule-details/) -> welcome-message.md
- Add .env to .gitignore to prevent accidental secret commit
- Replace deprecated stage names across 6 files:
"Context Assessment" -> "Workspace Detection",
"Requirements Assessment" -> "Requirements Analysis",
"Story Development" -> "User Stories",
"Requirements Elaboration" -> "Requirements Analysis"
- Fix systematic "phase" vs "stage" confusion in error-handling.md,
workflow-changes.md, terminology.md, and units-generation.md
(phase = INCEPTION/CONSTRUCTION/OPERATIONS; stage = individual
workflow activities within a phase)
- Resolve "Code Planning" ambiguity in terminology.md and
workflow-planning.md: clarify Code Planning is Part 1 of the
Code Generation stage, not a separate stage
- Remove stale "Skip entire categories if not applicable" directives
from application-design.md, infrastructure-design.md, nfr-design.md,
and units-generation.md
- Replace with proactive evaluation pattern modeled after
requirements-analysis.md Step 5: evaluate ALL categories, determine
applicability based on evidence, default to asking when in doubt
- Add missing Windows PowerShell setup instructions for Kiro and
Amazon Q sections (macOS/Linux and Windows CMD already existed)
- Fix spelling: "Applicabality" -> "Applicability"
- Remove trailing space from "Verify in Kiro IDE" heading
- Add missing ToC entries: Version Control Recommendations, Security,
License, Other Agents
- Add extensions/ subdirectory to all 4 platform directory structure
diagrams (Cursor, Cline, Claude Code, GitHub Copilot)
- Fix Extension Directory Structure tree connector (└── -> ├── for
baseline/ which has siblings)
- Add .kiro/ and .amazonq/ rule-details paths to Version Control
Recommendations
- Separate Kiro and Amazon Q troubleshooting into distinct sections
(/context show is Kiro-only)
- Add ?raw=true to kiro-sdd-nudge.png image tag for consistency
- Add TODO comments for Amplify URL replacement with stable URL
- Add LICENSE hyperlink for consistency with CONTRIBUTING.md links
- Replace Unicode box-drawing characters in welcome-message.md
diagram with ASCII equivalents per ascii-diagram-standards.md
- Standardize build-and-test.md completion message to use the
REVIEW REQUIRED / WHAT'S NEXT template matching all other stages;
also fixes extra double-quote on completion line
- Fix incomplete sentence fragment in core-workflow.md line 475:
rewrite as complete prohibition statement
- Fix typos in codebuild.yml and buildspec.yml:
"Kisk" -> "Disk", "Hardward" -> "Hardware"
- Add buildspec.yml (CodeBuild build specification)
- Add TODO near OWASP Top 10 (2025) mapping table in
security-baseline.md to verify year against latest edition
- Add TODO HTML comments near Amplify URLs in README.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: address code review findings from documentation remediation
Fixes 5 issues identified during code review of the docs commit:
1. terminology.md: Update stale "Code Planning stage" references
- Line 13: "Code Planning stage" -> "Code Generation stage" in examples
- Line 18: "7 stages" -> "6 stages" (after merging Code Planning
into Code Generation)
- Line 19: "Code Planning stage" -> "Code Generation stage" in
usage example
2. README.md: Move TODO HTML comment above the markdown table to
prevent breaking GitHub-Flavored Markdown table rendering (comment
between header separator and first data row terminates the table)
3. core-workflow.md: Fix canonical stage name "NFR Requirements
Analysis" -> "NFR Requirements" to match usage elsewhere in the
same file (line 349: "NFR Requirements was executed")
4. Align dash style in overconfidence directives: change "--" to "-"
in application-design.md, units-generation.md, infrastructure-
design.md, nfr-design.md to match the canonical style in
overconfidence-prevention.md and 3 other files
5. Align contraction in overconfidence directives: change "It is
better" to "It's better" in the same 4 files to match the
canonical wording in overconfidence-prevention.md
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: address PR review findings from code-reviewer and comment-analyzer
Fixes 7 issues identified during the pr-review-toolkit comprehensive
review of the documentation remediation branch.
1. workflow-changes.md:88 - Remove stale "Code Planning" from the
user warning message template. The restart impact warning now
lists "Code Generation" as a single stage instead of the previous
"Code Planning, Code Generation" pair.
2. error-handling.md:133,145 - Consolidate "Code Planning Errors"
and "Code Generation Errors" section headings into
"Code Generation Errors (Part 1: Code Planning)" and
"Code Generation Errors (Part 2: Code Generation)" to align
with the Code Planning/Code Generation stage merger applied
everywhere else.
3. error-handling.md:48 - Fix "Cannot determine required phases"
to "required stages". This appears in the Workspace Detection
Errors section and refers to individual workflow stages, not
the three lifecycle phases (INCEPTION/CONSTRUCTION/OPERATIONS).
4. build-and-test.md:345 - Fix "Log the phase completion" to
"Log the stage completion". Build and Test is a stage within
the CONSTRUCTION phase. This was newly added text in the
previous commit.
5. build-and-test.md:326 - Add trailing two-space markdown line
break to the REVIEW REQUIRED blockquote line, matching the
pattern used in all other stage completion message templates
(functional-design.md, nfr-design.md, infrastructure-design.md,
code-generation.md, etc.).
6. security-baseline.md:312 - Strengthen the OWASP TODO comment
from a simple "verify the year" note to a CRITICAL flag that
the entire mapping table (category IDs, numbering, and names)
needs verification against the actual published OWASP Top 10
standard (currently 2021 edition). The "2025" edition
referenced in the table may not exist.
7. .gitignore - Add trailing newline for POSIX compliance. The
file previously lacked a final newline, which can cause issues
with some tools that expect POSIX text files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* revert: remove buildspec.yml and codebuild.yml changes from docs PR
Revert CI/CD file changes that are out of scope for this
documentation remediation PR:
- Remove buildspec.yml (new file — should be tracked separately)
- Revert codebuild.yml spelling fixes and sts identity command
(infrastructure changes, not documentation)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…s#150) * chore: add .worktrees to .gitignore * feat: gate CodeBuild workflow on 'codebuild' label and aidlc-rules paths PR builds now require the 'codebuild' label and changes under aidlc-rules/ to trigger. Push to main, tags, and workflow_dispatch remain unconditional. * chore: add project-level attribution setting for PR contributor statement Uses the `attribution.pr` setting so Claude Code automatically appends the required contributor statement to all PR descriptions. Adds a gitignore negation for .claude/settings.json so shared project settings are committed while other .claude/ files remain ignored. * docs: update administrative guide for CodeBuild label gate - Add .claude/settings.json to repo tree diagram - Update Pipeline 2 mermaid diagram with PR label-gate flow - Update CodeBuild workflow triggers table and add label gate detail - Add label-gated CI row to Security Posture table * style: alphabetize pull_request activity types in codebuild workflow * feat: add label-reminder and label-cleanup jobs to codebuild workflow Add two lightweight jobs for PRs that change aidlc-rules/: - label-reminder: emits a warning annotation and posts a one-time PR comment when the codebuild label is missing - label-cleanup: removes the reminder comment when the label is applied, running immediately without waiting for the codebuild environment gate * refactor: harden label-reminder comment handling - Extract marker string into workflow-level LABEL_REMINDER_MARKER env - Filter cleanup to only delete comments authored by github-actions[bot] - Gracefully warn instead of failing if comment deletion fails * security: eliminate expression interpolation from all run: blocks Move github.repository, github.ref_name, and env.CODEBUILD_PROJECT_NAME references in run: blocks to step-level env: variables or direct shell env references. Workflow-level env: vars are auto-exported to shells, so $CODEBUILD_PROJECT_NAME replaces ${{ env.CODEBUILD_PROJECT_NAME }}. This prevents potential shell injection if any value were to contain metacharacters, following GitHub's recommended security pattern. * docs: update admin guide for new jobs and injection hardening Add label-reminder and label-cleanup to the job-level permissions table. Update the injection-safe inputs security posture row to reflect that all run: blocks are now free of expression interpolation. * docs: add label-cleanup step to CI pipeline mermaid diagram --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
…wslabs#154) * fix: skip PR comment steps for fork PRs with read-only GITHUB_TOKEN Fork PRs receive a read-only GITHUB_TOKEN regardless of workflow permission declarations, causing the addComment GraphQL call to fail. - Gate the Comment on PR step on same-repo check - Skip label-cleanup entirely for fork PRs (no comment to remove) - Add a notice annotation explaining the skip for fork PRs - Warning annotation still works for all PRs (read-only is sufficient) * fix: add unlabeled trigger so label-reminder re-posts when codebuild label is removed Without the unlabeled activity type, removing the codebuild label from a PR did not re-trigger the workflow, so the reminder comment was never re-posted. * fix: add issues:write permission for label-cleanup comment deletion The REST DELETE /repos/{owner}/{repo}/issues/comments/{id} endpoint requires issues:write scope. The job previously only had pull-requests:write, which covers gh pr comment (GraphQL addComment) but not the REST Issues API delete. This caused a silent 404 when attempting to remove the label-reminder comment. Also removes 2>/dev/null from the gh api DELETE call so API errors are visible in job logs instead of silently suppressed. --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
…labs#157) The DELETE endpoint for issue comments does not include the issue number in the path (`/repos/{owner}/{repo}/issues/comments/{comment_id}`), unlike the LIST endpoint which does. The extra `$PR_NUMBER` segment produced a 404, leaving stale reminder comments on PRs after the codebuild label was added. Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
…abs#158) * feat: auto-label PRs using actions/labeler Adds an auto-label job to the Pull Request Validation workflow using actions/labeler v6.0.1. Labels are applied based on changed file paths and removed when those files are no longer changed (sync-labels: true). Works for fork PRs via pull_request_target — no checkout of fork code, the action only reads file paths from the API. Initial label rules: - codebuild: aidlc-rules/** - documentation: **/*.md, docs/** - workflows: .github/** * refactor: rename label to 'rules', refine labeler config - Rename 'codebuild' label to 'rules' in codebuild.yml (conditions, reminder text, and marker) - Rename 'workflows' label to 'github' matching .github/** - Scope 'documentation' label to *.md files NOT under aidlc-rules/ using all-globs-to-any-file with negation * fix: add issues:write permission for auto-label job Allows actions/labeler to create labels that don't yet exist in the repository, preventing failures on first use of a new label rule. * docs: update administrative guide for auto-labeling and rules label - Rename all 'codebuild' label references to 'rules' (preserving CodeBuild service/environment references) - Add auto-label job to Pipeline 3 diagram and workflow reference - Document label rules table (rules, documentation, github) - Add actions/labeler to external actions table - Add auto-label job to permissions table - Add labeler.yml to repository tree diagram --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
…l-run-dir support (awslabs#162) * fix: remove report-bundle CodeBuild secondary artifact and add --local-run-dir support * fix: address PR review feedback for codebuild workflow - Replace report artifact fallback name with static 'report-head' to avoid invalid characters from branch names - Narrow evaluation secondary artifact from '**/*' to specific YAML metric and report files only - Bump upload-artifact from v6 to v7 - Add archive: false to all upload-artifact steps to prevent double-zip
For pull_request events, CodeBuild runs in detached HEAD so git symbolic-ref fails. The fallback was GH_REF_NAME which resolves to '155/merge' — a virtual GitHub ref that cannot be cloned as a branch. Pass github.head_ref into the buildspec as GH_HEAD_REF and prefer it in the fallback chain so the evaluator clones the actual PR source branch.
--- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.13.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…slabs#169) Release PRs only changed CHANGELOG.md, which didn't match the codebuild.yml paths filter (aidlc-rules/**) and so never triggered the CodeBuild workflow. Writing the release version to aidlc-rules/VERSION ensures the PR touches aidlc-rules/, naturally satisfying both the path filter and the rules auto-label. Also adds the 'rules' label explicitly to release PRs alongside 'release' for belt-and-suspenders coverage. Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Add a step that extracts the executive summary from the trend report and posts it as a comment on the PR. Uses a marker comment to update the same comment on subsequent pushes. The step uses continue-on-error so a failure to comment does not block the pipeline.
…abs#173) Re-apply the GH_HEAD_REF fix from awslabs#168 which was overwritten when awslabs#172 was merged. Without this, PR-triggered CodeBuild runs fail because CURRENT_BRANCH resolves to '155/merge' instead of the actual PR source branch.
* fix: Modify tag creation process in tag-on-merge workflow Updated the GitHub Actions workflow to create a tag upon merging a pull request into a release branch, replacing the previous API call with git commands. * fix: Update checklist for pull request review process
* fix: Update CodeBuild action version and add trigger * fix: Correct commit hash
* docs: add clarifying comments for env.ACT usage in codebuild workflow The env.ACT variable is set by the 'act' CLI tool during local testing and is not defined on GitHub-hosted runners, which can trigger linter warnings about invalid context access. Added inline comments to explain its purpose at each usage site. * fix: skip CodeBuild build job for fork PRs Fork PRs cannot access repository secrets or OIDC credentials needed for AWS CodeBuild, causing the configure-aws-credentials step to fail. Skip the build job entirely for forks to avoid a confusing red X. --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
* feat: auto-label PRs using actions/labeler
Adds an auto-label job to the Pull Request Validation workflow using
actions/labeler v6.0.1. Labels are applied based on changed file paths
and removed when those files are no longer changed (sync-labels: true).
Works for fork PRs via pull_request_target — no checkout of fork code,
the action only reads file paths from the API.
Initial label rules:
- codebuild: aidlc-rules/**
- documentation: **/*.md, docs/**
- workflows: .github/**
* refactor: rename label to 'rules', refine labeler config
- Rename 'codebuild' label to 'rules' in codebuild.yml (conditions,
reminder text, and marker)
- Rename 'workflows' label to 'github' matching .github/**
- Scope 'documentation' label to *.md files NOT under aidlc-rules/
using all-globs-to-any-file with negation
* fix: add issues:write permission for auto-label job
Allows actions/labeler to create labels that don't yet exist in the
repository, preventing failures on first use of a new label rule.
* docs: update administrative guide for auto-labeling and rules label
- Rename all 'codebuild' label references to 'rules' (preserving
CodeBuild service/environment references)
- Add auto-label job to Pipeline 3 diagram and workflow reference
- Document label rules table (rules, documentation, github)
- Add actions/labeler to external actions table
- Add auto-label job to permissions table
- Add labeler.yml to repository tree diagram
* feat: add security scanners workflow
Adds five security scanning jobs as a new workflow:
- gitleaks: secret detection across full git history
- semgrep: SAST with SARIF output and GitHub compatibility fixes
- grype: dependency vulnerability scanning
- checkov: IaC scanning (GitHub Actions workflows, configs)
- clamav: malware scanning via service container
All jobs run on push to main, PRs to main, daily schedule, and
manual dispatch. SARIF results are uploaded as artifacts and to
GitHub Code Scanning (when available). Follows the deny-all
permissions pattern with per-job grants.
* feat: add bandit job for Python SAST scanning
Scans Python code under scripts/aidlc-evaluator/ for security issues.
Uses bandit v1.9.3 with SARIF output, matching the pattern from
awslabs/agent-plugins.
* feat: add security scanner configuration and baseline files
- .gitleaks.toml: extends default rules, allowlists lock files
- .gitleaks-baseline.json: baselines 12 known findings (all fake
credentials in test_credential_scrubber.py test fixtures)
- .semgrepignore: skips lock files, test fixtures, build artifacts
- .checkov.yaml: scopes to github_actions + dockerfile frameworks,
skips CKV_GHA_7 (conflicts with inline buildspec pattern)
- .bandit: targets scripts/aidlc-evaluator, excludes tests,
medium+ confidence only
- .grype.yaml: fail-on-severity high, with placeholder ignore list
* chore: add gitleaks baseline to semgrepignore and expand comments
Add .gitleaks-baseline.json to .semgrepignore and expand all ignore
comments with specific reasoning for why each entry is excluded from
Semgrep scanning.
* fix: raise bandit confidence to high, add suppression docs, fix clamav deferred failure
- Raise bandit confidence-level from medium to high to reduce noise
- Add inline suppression documentation to .grype.yaml and .checkov.yaml
- Fix clamav job to use deferred-failure pattern (always upload artifact
before failing) consistent with all other scanner jobs
* docs: add security scanner remediation guide to DEVELOPERS_GUIDE
Document each scanner's failure thresholds, how to review findings,
and how to remediate or suppress them (inline comments, config-level
ignores, baselines). Includes summary tables for quick reference.
* docs: add security scanners to ADMINISTRATIVE_GUIDE
Add security-scanners.yml workflow reference, Pipeline 3 architecture
diagram, updated permissions model and security posture tables, and
Security Finding Requirements section requiring all HIGH and CRITICAL
findings to be remediated or have documented risk acceptance.
* fix: apply deny-all permissions to release workflows
Move release.yml, release-pr.yml, and tag-on-merge.yml to the same
deny-all-then-grant pattern used by all other workflows. All 16
permission scopes are now set to none at the workflow level with only
the required scopes granted at the job level.
* chore: update security scanner tools and actions to latest versions
Scanner tools:
- Gitleaks 8.30.0 → 8.30.1
- Semgrep 1.151.0 → 1.157.0
- Grype 0.104.3 → 0.110.0
- Bandit 1.9.3 → 1.9.4
- Checkov 3.2.500 → 3.2.513
- ClamAV image digest updated to latest stable
GitHub Actions:
- github/codeql-action v4.32.2 → v4.35.1
Remove specific version numbers from ADMINISTRATIVE_GUIDE docs (they
go stale), note that versions are pinned and should be updated
periodically, and add TODO for update procedure documentation.
* fix: move exit code interpolation from run: blocks to env: variables
Replace six instances of ${{ steps.*.outputs.exit_code }} in run:
blocks with step-level env: variables, eliminating all expression
interpolation in run: blocks. This restores the "zero ${{ }}
interpolation in run: blocks" invariant documented in the Security
Posture table.
* fix: include event_name in concurrency group to protect scheduled scans
Add github.event_name to the concurrency group key so that scheduled
runs (group: ...-schedule-refs/heads/main) and push runs (group:
...-push-refs/heads/main) use separate groups. This prevents a push
to main from silently cancelling the daily scheduled scan.
* docs: merge duplicate deny-all-then-grant paragraphs in admin guide
Remove the contradictory paragraph that listed only three workflows
and merge its "strictest possible configuration" clause into the
correct paragraph that covers all six workflows.
* fix: use .bandit configuration
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix(doc): Update how bandit looks for files
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix: add issues write to create labels as necessary
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix: remove security event write to clamav
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix: load grype configurations
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* fix: convert .bandit config from INI to YAML format
Bandit 1.9.4 expects YAML config but .bandit used legacy INI format,
causing a parse error (exit code 2) that failed the CI job. Convert to
valid YAML and add -ll flag for high-confidence filtering.
* fix: report all bandit findings in SARIF, fail only on HIGH severity
- Remove -ll severity filter so LOW/MEDIUM/HIGH all appear in SARIF
- Check SARIF for HIGH severity (level=error) to decide pass/fail
- Move scan targets into .bandit config so new Python directories
can be added without editing the workflow
* fix: semgrep reports all findings, fails only on ERROR severity
Match the bandit pattern: report all severity levels in SARIF for
GitHub Code Scanning visibility, but only fail the build when
ERROR-level findings exist.
* fix: checkov reports all findings, fails only on ERROR severity
Match the bandit/semgrep pattern: report all severity levels in SARIF
for GitHub Code Scanning visibility, but only fail the build when
ERROR-level findings exist.
* fix: remove duplicate semgrep step id
* fix: restore -r flag for bandit targets
The YAML config does not support a "targets" key — that was
INI-format only. Without -r on the CLI, bandit gets no scan
targets and produces an empty SARIF file.
---------
Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Sam Castro Oropeza <samcaso@amazon.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.6...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* ci: add markdownlint infrastructure (config, CI workflow, pre-commit) Add .markdownlint-cli2.yaml with all current violations temporarily disabled and tiered for incremental re-enablement by prompt impact. Add ci.yml workflow with markdownlint-cli2-action on pull_request, push to main, and workflow_dispatch. Add .pre-commit-config.yaml for optional local pre-commit linting. No markdown content changes — violation fixes planned for follow-up PRs. * ci: fix MD041 in CODE_OF_CONDUCT.md, re-enable rule Change `## Code of Conduct` to `# Code of Conduct` (H2 → H1) to satisfy MD041/first-line-heading. Only violation was outside aidlc-rules/ — zero LLM prompt impact. Rule re-enabled in config. * fix: resolve all markdownlint violations outside aidlc-rules/ Fix 585 violations across 25 non-LLM-prompt files: - MD028: fix 4 blank lines in blockquotes (WORKING-WITH-AIDLC.md) - MD040: add language specifiers to 84 fenced code blocks - MD060: normalize table pipe spacing across 13 files (322 fixes) - Auto-fix: MD009, MD012, MD022, MD029, MD031, MD032, MD047, MD049 Re-enable 3 rules now at zero violations: MD049, MD034, MD028. Update remaining violation counts to aidlc-rules/-only totals. No files under aidlc-rules/ were modified — zero LLM prompt impact. * style: enforce MD060 aligned table style, fix 1645 violations Set MD060 to "aligned" style in project config — all table columns are now width-padded with vertically aligned pipes. Add aidlc-rules/.markdownlint-cli2.yaml to suppress MD060 in LLM prompt files pending separate review. Aligned tables in 14 files outside aidlc-rules/ using automated formatter. Zero aidlc-rules/ content files modified. * chore: improve cliff.toml template for markdownlint compliance Update git-cliff body template: - Add blank line after ### group headings (MD022/MD032) - Add postprocessor to collapse triple+ blank lines (MD012) - Set trim = false so leading \n creates inter-body separators Add CHANGELOG.md to markdownlint ignores since git-cliff postprocessors run per-body and cannot control inter-body spacing or trailing whitespace. Regenerate CHANGELOG.md with improved template. * refactor: move aidlc-rules/ exceptions to per-directory config Move all temporarily disabled rules from the top-level config into aidlc-rules/.markdownlint-cli2.yaml since violations exist only in that directory. The top-level config now contains only permanently disabled rules and global style settings. * fix: align table pipes in ADMINISTRATIVE_GUIDE.md for MD060 Four tables had misaligned trailing pipes due to rows with longer content or multi-byte characters (em dash). Padded shorter rows so all pipes in each column align vertically. * fix: resolve markdownlint violations in DEVELOPERS_GUIDE security scanner section Add blank lines around fenced code blocks (MD031), align table pipes (MD060), and remove double blank line (MD012) in the security scanner documentation added by awslabs#161. * fix: add event_name to concurrency group key for consistency Aligns ci.yml concurrency group with the {workflow}-{event_name}-{ref} pattern used across all other workflows. * fix: add event_name to concurrency group keys for all workflows Aligns codebuild.yml and pull-request-lint.yml concurrency groups with the {workflow}-{event_name}-{ref} pattern for consistency and to prevent schedule triggers from cancelling push events if added later. * fix: replace verbose deny-all permissions with permissions: {} Uses the documented shorthand `permissions: {}` which is functionally equivalent and future-proof against new permission scopes. Job-level permissions that grant specific access are preserved. --------- Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com> Co-authored-by: Sam Castro <scoropeza@gmail.com>
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bandit found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
Comment on lines
+1
to
+52
| # Multi-language sandbox image for running AI-generated code in isolation. | ||
| # | ||
| # Includes Python 3.13 + uv, Node.js 22 + npm, and common build tools. | ||
| # Runs as a non-root user with no credentials or host tools. | ||
| # | ||
| # Security notes: | ||
| # - Base image is intentionally not pinned to a hash to receive security updates | ||
| # - HEALTHCHECK is omitted as this is an ephemeral test sandbox, not a service | ||
| # - RUN commands use pipes without pipefail, acceptable for dependency installation | ||
|
|
||
| # checkov:skip=CKV_DOCKER_2:HEALTHCHECK not needed for ephemeral test sandbox | ||
| # nosemgrep: dockerfile-source-not-pinned | ||
| FROM public.ecr.aws/docker/library/python:3.13-slim AS base | ||
|
|
||
| # Install system dependencies and Node.js 22 | ||
| # nosemgrep: set-pipefail | ||
| RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
| curl \ | ||
| gcc \ | ||
| g++ \ | ||
| make \ | ||
| git \ | ||
| ca-certificates \ | ||
| gnupg \ | ||
| && mkdir -p /etc/apt/keyrings \ | ||
| && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \ | ||
| | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ | ||
| && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \ | ||
| > /etc/apt/sources.list.d/nodesource.list \ | ||
| && apt-get update && apt-get install -y --no-install-recommends nodejs \ | ||
| && apt-get clean && rm -rf /var/lib/apt/lists/* | ||
|
|
||
| # Install uv (Python package manager) | ||
| COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv | ||
|
|
||
| # Create non-root sandbox user (UID 1000) | ||
| RUN groupadd -g 1000 sandbox \ | ||
| && useradd -u 1000 -g 1000 -m -s /bin/bash sandbox | ||
|
|
||
| # Set up workspace directory | ||
| RUN mkdir /workspace && chown sandbox:sandbox /workspace | ||
|
|
||
| # Pre-configure uv and npm for the sandbox user | ||
| ENV UV_CACHE_DIR=/home/sandbox/.cache/uv | ||
| ENV NPM_CONFIG_CACHE=/home/sandbox/.cache/npm | ||
| RUN mkdir -p /home/sandbox/.cache/uv /home/sandbox/.cache/npm \ | ||
| && chown -R sandbox:sandbox /home/sandbox/.cache | ||
|
|
||
| USER sandbox | ||
| WORKDIR /workspace | ||
|
|
||
| CMD ["bash"] |
There was a problem hiding this comment.
Semgrep OSS found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
awslabs/aidlc-workflows) into the fork'smainbranchupstream/mainat commit182b6e9(ci: add markdownlint infrastructure ci: add markdownlint infrastructure awslabs/aidlc-workflows#159)Changes pulled from upstream
Key additions include:
.bandit,.checkov.yaml,.gitleaks.toml,.grype.yaml,.semgrepignoreCHANGELOG.mdandcliff.tomlfor automated changelog generationREADME.mdandCONTRIBUTING.mddocs/andscripts/directories (aidlc-evaluator)aidlc-rules/VERSIONand additional rule filesBuild and test results
This repository has no
misetasks configured (mise run buildandmise run lintfail with "no tasks defined"), which matches the pre-agent baseline failures noted in the task setup. The upstream changes do not introduce a build system — the project is primarily documentation and GitHub workflow files. No compilation or test runner is applicable.mise run build: FAILED (no tasks defined — same as baseline before agent changes)mise run lint: FAILED (no tasks defined — same as baseline before agent changes)Decisions made
git merge upstream/main --no-editwhich applied as a clean fast-forward with no conflictsAgent notes
What went well: The merge was a clean fast-forward with zero conflicts, so no manual resolution was needed.
What was difficult: Nothing — straightforward sync task.
Patterns discovered:
scoropeza/aidlc-workflows) diverged fromawslabs/aidlc-workflowsby adding Kiro CLI multi-platform support (commitsfbc7f7cand31c6f81), but those commits also exist in the upstream history, so the merge was trivially fast-forward.misetasks are defined; build/lint tasks in the task setup were expected to fail.Suggestions for future tasks:
origin/mainto update the fork's default branch.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.