From 9b2d4e11678e5efe6f2863ac70c01c6697484411 Mon Sep 17 00:00:00 2001
From: Sujay Narsale <narsale@amazon.com>
Date: Wed, 2 Aug 2023 00:31:52 -0700
Subject: [PATCH 1/2] Add GH Action to invoke CodeGuru Security

---
 .../workflows/analyze-codeguru-security.yml   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 .github/workflows/analyze-codeguru-security.yml

diff --git a/.github/workflows/analyze-codeguru-security.yml b/.github/workflows/analyze-codeguru-security.yml
new file mode 100644
index 0000000..0c0bb7d
--- /dev/null
+++ b/.github/workflows/analyze-codeguru-security.yml
@@ -0,0 +1,49 @@
+name: CodeGuru Security Example
+on:
+  pull_request:
+    # for all branches (no filter)
+  push:
+    branches:
+      - 'main'
+
+permissions:
+  id-token: write
+  # for writing security events.
+  security-events: write
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Respository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: arn:aws:iam::048169001733:role/CodeGuruSecurityGitHubAccessRole
+          aws-region: us-east-1
+          role-session-name: GitHubActionScript
+
+      - name: CodeGuru Security
+        uses: aws-actions/codeguru-security@v1
+        with:
+          source_path: .
+          aws_region: us-east-1
+          fail_on_severity: Critical
+      - name: Print findings
+        run: |
+          ls -l
+          cat codeguru-security-results.sarif.json
+
+      # If you want content in security scanning, you’ll need to enable codescanning by going into github.
+      # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository
+      - name: Upload result
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: codeguru-security-results.sarif.json

From 56ebd103bda12332eda2924e9c82514487971b1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sujay=20Narsale=20=F0=9F=92=BB?= <narsale@amazon.com>
Date: Wed, 2 Aug 2023 13:12:48 -0700
Subject: [PATCH 2/2] Remove condition to fail on critical findings

To match the reviewer check, removing the fail on critical
findings condition so that the findings are
uploaded to the Security tab. Will add a summary
to the PR in a separate change.
---
 .github/workflows/analyze-codeguru-security.yml | 3 +--
 .gitignore                                      | 1 +
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/analyze-codeguru-security.yml b/.github/workflows/analyze-codeguru-security.yml
index 0c0bb7d..47bc77f 100644
--- a/.github/workflows/analyze-codeguru-security.yml
+++ b/.github/workflows/analyze-codeguru-security.yml
@@ -1,4 +1,4 @@
-name: CodeGuru Security Example
+name: CodeGuru Security Check
 on:
   pull_request:
     # for all branches (no filter)
@@ -35,7 +35,6 @@ jobs:
         with:
           source_path: .
           aws_region: us-east-1
-          fail_on_severity: Critical
       - name: Print findings
         run: |
           ls -l
diff --git a/.gitignore b/.gitignore
index 943b1f5..4017507 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@
 build/
 lib/
 .DS_Store
+.vscode/