Skip to content

🔒 ASH Security Scan - Monthly Report (2026-04-01) #79

Open
Open
🔒 ASH Security Scan - Monthly Report (2026-04-01)#79
Labels
automated-scansecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 1, 2026

ASH Security Scan - Full Repository Report

Scan Date: 2026-04-01T03:10:56+00:00
Trigger: schedule
Type: Monthly scheduled scan

Scanner Results Summary

Scanner S C H M L I Time Action Result Thresh
bandit 0 1 0 0 7 0 1.3s 1 FAILED MED (g)
cdk-nag 0 0 0 0 0 0 54.3s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 4.4s 0 PASSED MED (g)
checkov 0 64 0 0 0 0 16.5s 64 FAILED MED (g)
detect-secrets 0 1 0 0 0 0 10.6s 1 FAILED MED (g)
grype 0 4 0 2 0 0 51.8s 6 FAILED MED (g)
npm-audit 0 0 0 0 0 0 1.5s 0 PASSED MED (g)
opengrep 12 14 0 0 0 0 37.0s 14 FAILED MED (g)
semgrep 0 0 0 0 0 0 15.4s 0 PASSED MED (g)
syft 0 0 0 0 0 0 4.0s 0 PASSED MED (g)

Status: ⚠️ Security findings detected

Detailed Findings

Detailed Findings

Show 86 actionable findings

Finding 1: B602

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B602
  • Location: infra-terraform/test-scripts/test-oauth2-auth.py:88-90

Description:
subprocess call with shell=True identified, security issue.

Code Snippet:

"""Run shell command and return output."""
    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
    return result.stdout.strip(), result.returncode

Finding 2: SECRET-HEX-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
  • Location: ash-output.log:1482

Description:
Secret of type 'Hex High Entropy String' detected in file 'ash-output.log' at line 1482

Code Snippet:

Secret of type Hex High Entropy String detected

Finding 3: CKV_AWS_300

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_300
  • Location: infra-terraform/modules/amplify-hosting/main.tf:42-53

Description:
Ensure S3 lifecycle configuration sets period for aborting failed uploads

Code Snippet:

resource "aws_s3_bucket_lifecycle_configuration" "access_logs" {
  bucket = aws_s3_bucket.access_logs.id

  rule {
    id     = "DeleteOldAccessLogs"
    status = "Enabled"

    expiration {
      days = var.access_logs_expiry_days
    }
  }
}

Finding 4: CKV_AWS_300

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_300
  • Location: infra-terraform/modules/amplify-hosting/main.tf:82-93

Description:
Ensure S3 lifecycle configuration sets period for aborting failed uploads

Code Snippet:

resource "aws_s3_bucket_lifecycle_configuration" "staging" {
  bucket = aws_s3_bucket.staging.id

  rule {
    id     = "DeleteOldDeployments"
    status = "Enabled"

    expiration {
      days = var.staging_bucket_expiry_days
    }
  }
}

Finding 5: CKV_AWS_119

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_119
  • Location: infra-terraform/modules/backend/feedback.tf:13-54

Description:
Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK

Code Snippet:

resource "aws_dynamodb_table" "feedback" {
  name         = "${var.stack_name_base}-feedback"
  billing_mode = "PAY_PER_REQUEST"
  hash_key     = "feedbackId"

  attribute {
    name = "feedbackId"
    type = "S"
  }

  attribute {
    name = "feedbackType"
    type = "S"
  }

  attribute {
    name = "timestamp"
    type = "N"
  }

  # GSI for querying by feedbackType with timestamp sorting
  global_secondary_index {
    name            = "feedbackType-timestamp-index"
    hash_key        = "feedbackType"
    range_key       = "timestamp"
    projection_type = "ALL"
  }

  # Deletion protection disabled (allows terraform destroy)
  deletion_protection_enabled = false

  # Point-in-time recovery
  point_in_time_recovery {
    enabled = true
  }

  # Server-side encryption (AWS managed)
  server_side_encryption {
    enabled = true
  }

}

Finding 6: CKV_AWS_158

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_158
  • Location: infra-terraform/modules/backend/feedback.tf:60-64

Description:
Ensure that CloudWatch Log Group is encrypted by KMS

Code Snippet:

resource "aws_cloudwatch_log_group" "feedback_lambda" {
  name              = "/aws/lambda/${var.stack_name_base}-feedback"
  retention_in_days = local.log_retention_days

}

Finding 7: CKV_AWS_338

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_338
  • Location: infra-terraform/modules/backend/feedback.tf:60-64

Description:
Ensure CloudWatch log groups retains logs for at least 1 year

Code Snippet:

resource "aws_cloudwatch_log_group" "feedback_lambda" {
  name              = "/aws/lambda/${var.stack_name_base}-feedback"
  retention_in_days = local.log_retention_days

}

Finding 8: CKV_AWS_117

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_117
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 9: CKV_AWS_173

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_173
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
Check encryption settings for Lambda environmental variable

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 10: CKV_AWS_50

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_50
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
X-Ray tracing is enabled for Lambda

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 11: CKV_AWS_116

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_116
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 12: CKV_AWS_115

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_115
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 13: CKV_AWS_272

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_272
  • Location: infra-terraform/modules/backend/feedback.tf:158-182

Description:
Ensure AWS Lambda function is configured to validate code-signing

Code Snippet:

resource "aws_lambda_function" "feedback" {
  function_name = "${var.stack_name_base}-feedback"
  role          = aws_iam_role.feedback_lambda.arn
  handler       = "index.handler"
  runtime       = "python3.13"
  timeout       = 30
  memory_size   = 256

  filename         = data.archive_file.feedback_lambda.output_path
  source_code_hash = data.archive_file.feedback_lambda.output_base64sha256

  # Lambda Powertools layer
  layers = [local.powertools_layer_arn]

  # Environment variables
  environment {
    variables = {
      TABLE_NAME           = aws_dynamodb_table.feedback.name
      CORS_ALLOWED_ORIGINS = "${var.frontend_url},http://localhost:3000"
    }
  }

  depends_on = [aws_cloudwatch_log_group.feedback_lambda]

}

Finding 14: CKV_AWS_237

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_237
  • Location: infra-terraform/modules/backend/feedback.tf:188-196

Description:
Ensure Create before destroy for API Gateway

Code Snippet:

resource "aws_api_gateway_rest_api" "feedback" {
  name        = "${var.stack_name_base}-feedback-api"
  description = "API Gateway for feedback collection"

  endpoint_configuration {
    types = ["REGIONAL"]
  }

}

Finding 15: CKV_AWS_120

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_120
  • Location: infra-terraform/modules/backend/feedback.tf:340-365

Description:
Ensure API Gateway caching is enabled

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.feedback.id
  deployment_id = aws_api_gateway_deployment.feedback.id

  # Access logs
  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.api_gateway_access.arn
    format = jsonencode({
      requestId        = "$context.requestId"
      ip               = "$context.identity.sourceIp"
      caller           = "$context.identity.caller"
      user             = "$context.identity.user"
      requestTime      = "$context.requestTime"
      httpMethod       = "$context.httpMethod"
      resourcePath     = "$context.resourcePath"
      status           = "$context.status"
      protocol         = "$context.protocol"
      responseLength   = "$context.responseLength"
      integrationError = "$context.integrationErrorMessage"
    })
  }


  depends_on = [aws_cloudwatch_log_group.api_gateway_access]
}

Finding 16: CKV_AWS_73

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_73
  • Location: infra-terraform/modules/backend/feedback.tf:340-365

Description:
Ensure API Gateway has X-Ray Tracing enabled

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  stage_name    = "prod"
  rest_api_id   = aws_api_gateway_rest_api.feedback.id
  deployment_id = aws_api_gateway_deployment.feedback.id

  # Access logs
  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.api_gateway_access.arn
    format = jsonencode({
      requestId        = "$context.requestId"
      ip               = "$context.identity.sourceIp"
      caller           = "$context.identity.caller"
      user             = "$context.identity.user"
      requestTime      = "$context.requestTime"
      httpMethod       = "$context.httpMethod"
      resourcePath     = "$context.resourcePath"
      status           = "$context.status"
      protocol         = "$context.protocol"
      responseLength   = "$context.responseLength"
      integrationError = "$context.integrationErrorMessage"
    })
  }


  depends_on = [aws_cloudwatch_log_group.api_gateway_access]
}

Finding 17: CKV_AWS_158

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_158
  • Location: infra-terraform/modules/backend/feedback.tf:368-372

Description:
Ensure that CloudWatch Log Group is encrypted by KMS

Code Snippet:

resource "aws_cloudwatch_log_group" "api_gateway_access" {
  name              = "/aws/apigateway/${var.stack_name_base}-feedback-api/access-logs"
  retention_in_days = local.log_retention_days

}

Finding 18: CKV_AWS_338

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_338
  • Location: infra-terraform/modules/backend/feedback.tf:368-372

Description:
Ensure CloudWatch log groups retains logs for at least 1 year

Code Snippet:

resource "aws_cloudwatch_log_group" "api_gateway_access" {
  name              = "/aws/apigateway/${var.stack_name_base}-feedback-api/access-logs"
  retention_in_days = local.log_retention_days

}

Finding 19: CKV_AWS_158

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_158
  • Location: infra-terraform/modules/backend/gateway.tf:13-17

Description:
Ensure that CloudWatch Log Group is encrypted by KMS

Code Snippet:

resource "aws_cloudwatch_log_group" "tool_lambda" {
  name              = "/aws/lambda/${var.stack_name_base}-sample-tool"
  retention_in_days = local.log_retention_days

}

Finding 20: CKV_AWS_338

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_338
  • Location: infra-terraform/modules/backend/gateway.tf:13-17

Description:
Ensure CloudWatch log groups retains logs for at least 1 year

Code Snippet:

resource "aws_cloudwatch_log_group" "tool_lambda" {
  name              = "/aws/lambda/${var.stack_name_base}-sample-tool"
  retention_in_days = local.log_retention_days

}

Finding 21: CKV_AWS_117

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_117
  • Location: infra-terraform/modules/backend/gateway.tf:70-82

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

resource "aws_lambda_function" "sample_tool" {
  function_name = "${var.stack_name_base}-sample-tool"
  role          = aws_iam_role.tool_lambda.arn
  handler       = "sample_tool_lambda.handler"
  runtime       = "python3.13"
  timeout       = 30

  filename         = data.archive_file.tool_lambda.output_path
  source_code_hash = data.archive_file.tool_lambda.output_base64sha256

  depends_on = [aws_cloudwatch_log_group.tool_lambda]

}

Finding 22: CKV_AWS_50

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_50
  • Location: infra-terraform/modules/backend/gateway.tf:70-82

Description:
X-Ray tracing is enabled for Lambda

Code Snippet:

resource "aws_lambda_function" "sample_tool" {
  function_name = "${var.stack_name_base}-sample-tool"
  role          = aws_iam_role.tool_lambda.arn
  handler       = "sample_tool_lambda.handler"
  runtime       = "python3.13"
  timeout       = 30

  filename         = data.archive_file.tool_lambda.output_path
  source_code_hash = data.archive_file.tool_lambda.output_base64sha256

  depends_on = [aws_cloudwatch_log_group.tool_lambda]

}

Finding 23: CKV_AWS_116

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_116
  • Location: infra-terraform/modules/backend/gateway.tf:70-82

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

resource "aws_lambda_function" "sample_tool" {
  function_name = "${var.stack_name_base}-sample-tool"
  role          = aws_iam_role.tool_lambda.arn
  handler       = "sample_tool_lambda.handler"
  runtime       = "python3.13"
  timeout       = 30

  filename         = data.archive_file.tool_lambda.output_path
  source_code_hash = data.archive_file.tool_lambda.output_base64sha256

  depends_on = [aws_cloudwatch_log_group.tool_lambda]

}

Finding 24: CKV_AWS_115

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_115
  • Location: infra-terraform/modules/backend/gateway.tf:70-82

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

resource "aws_lambda_function" "sample_tool" {
  function_name = "${var.stack_name_base}-sample-tool"
  role          = aws_iam_role.tool_lambda.arn
  handler       = "sample_tool_lambda.handler"
  runtime       = "python3.13"
  timeout       = 30

  filename         = data.archive_file.tool_lambda.output_path
  source_code_hash = data.archive_file.tool_lambda.output_base64sha256

  depends_on = [aws_cloudwatch_log_group.tool_lambda]

}

Finding 25: CKV_AWS_272

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_272
  • Location: infra-terraform/modules/backend/gateway.tf:70-82

Description:
Ensure AWS Lambda function is configured to validate code-signing

Code Snippet:

resource "aws_lambda_function" "sample_tool" {
  function_name = "${var.stack_name_base}-sample-tool"
  role          = aws_iam_role.tool_lambda.arn
  handler       = "sample_tool_lambda.handler"
  runtime       = "python3.13"
  timeout       = 30

  filename         = data.archive_file.tool_lambda.output_path
  source_code_hash = data.archive_file.tool_lambda.output_base64sha256

  depends_on = [aws_cloudwatch_log_group.tool_lambda]

}

Finding 26: CKV_AWS_158

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_158
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:23-27

Description:
Ensure that CloudWatch Log Group is encrypted by KMS

Code Snippet:

resource "aws_cloudwatch_log_group" "oauth2_provider" {
  name              = "/aws/lambda/${var.stack_name_base}-oauth2-provider"
  retention_in_days = 7

}

Finding 27: CKV_AWS_338

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_338
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:23-27

Description:
Ensure CloudWatch log groups retains logs for at least 1 year

Code Snippet:

resource "aws_cloudwatch_log_group" "oauth2_provider" {
  name              = "/aws/lambda/${var.stack_name_base}-oauth2-provider"
  retention_in_days = 7

}

Finding 28: CKV_AWS_117

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_117
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:144-158

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

resource "aws_lambda_function" "oauth2_provider" {
  filename         = data.archive_file.oauth2_provider.output_path
  function_name    = "${var.stack_name_base}-oauth2-provider"
  role             = aws_iam_role.oauth2_provider.arn
  handler          = "index.handler"
  source_code_hash = data.archive_file.oauth2_provider.output_base64sha256
  runtime          = "python3.13"
  timeout          = 300 # 5 minutes


  depends_on = [
    aws_cloudwatch_log_group.oauth2_provider,
    aws_iam_role_policy.oauth2_provider
  ]
}

Finding 29: CKV_AWS_50

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_50
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:144-158

Description:
X-Ray tracing is enabled for Lambda

Code Snippet:

resource "aws_lambda_function" "oauth2_provider" {
  filename         = data.archive_file.oauth2_provider.output_path
  function_name    = "${var.stack_name_base}-oauth2-provider"
  role             = aws_iam_role.oauth2_provider.arn
  handler          = "index.handler"
  source_code_hash = data.archive_file.oauth2_provider.output_base64sha256
  runtime          = "python3.13"
  timeout          = 300 # 5 minutes


  depends_on = [
    aws_cloudwatch_log_group.oauth2_provider,
    aws_iam_role_policy.oauth2_provider
  ]
}

Finding 30: CKV_AWS_116

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_116
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:144-158

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

resource "aws_lambda_function" "oauth2_provider" {
  filename         = data.archive_file.oauth2_provider.output_path
  function_name    = "${var.stack_name_base}-oauth2-provider"
  role             = aws_iam_role.oauth2_provider.arn
  handler          = "index.handler"
  source_code_hash = data.archive_file.oauth2_provider.output_base64sha256
  runtime          = "python3.13"
  timeout          = 300 # 5 minutes


  depends_on = [
    aws_cloudwatch_log_group.oauth2_provider,
    aws_iam_role_policy.oauth2_provider
  ]
}

Finding 31: CKV_AWS_115

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_115
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:144-158

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

resource "aws_lambda_function" "oauth2_provider" {
  filename         = data.archive_file.oauth2_provider.output_path
  function_name    = "${var.stack_name_base}-oauth2-provider"
  role             = aws_iam_role.oauth2_provider.arn
  handler          = "index.handler"
  source_code_hash = data.archive_file.oauth2_provider.output_base64sha256
  runtime          = "python3.13"
  timeout          = 300 # 5 minutes


  depends_on = [
    aws_cloudwatch_log_group.oauth2_provider,
    aws_iam_role_policy.oauth2_provider
  ]
}

Finding 32: CKV_AWS_272

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_272
  • Location: infra-terraform/modules/backend/oauth2_provider.tf:144-158

Description:
Ensure AWS Lambda function is configured to validate code-signing

Code Snippet:

resource "aws_lambda_function" "oauth2_provider" {
  filename         = data.archive_file.oauth2_provider.output_path
  function_name    = "${var.stack_name_base}-oauth2-provider"
  role             = aws_iam_role.oauth2_provider.arn
  handler          = "index.handler"
  source_code_hash = data.archive_file.oauth2_provider.output_base64sha256
  runtime          = "python3.13"
  timeout          = 300 # 5 minutes


  depends_on = [
    aws_cloudwatch_log_group.oauth2_provider,
    aws_iam_role_policy.oauth2_provider
  ]
}

Finding 33: CKV_AWS_149

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_149
  • Location: infra-terraform/modules/backend/ssm.tf:86-90

Description:
Ensure that Secrets Manager secret is encrypted using KMS CMK

Code Snippet:

resource "aws_secretsmanager_secret" "machine_client_secret" {
  name        = "${local.ssm_parameter_prefix}/machine_client_secret"
  description = "Machine Client Secret for M2M authentication"

}

Finding 34: CKV_AWS_158

This issue was automatically created by the monthly security scan workflow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    automated-scansecurity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions