updating

Author: damienjburks

terraform/pipelines/buildspecs/awsome-fastapi/build.yml

@@ -46,7 +46,7 @@ phases:
               - name: $IMAGE_REPO_NAME
                 image: $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME:latest
                 ports:
-                - containerPort: 8080
+                - containerPort: 80
                 livenessProbe:
                   httpGet:
                     path: /

terraform/pipelines/modules/codepipeline/buildspecs/ossdepscan.yml

@@ -5,28 +5,24 @@ phases:
     runtime-versions:
       python: 3.9
     commands:
-      - echo "Installing dependency scanning tools..."
+      - echo "Installing container scanning tools..."
       - pip install --upgrade pip
       - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
   pre_build:
     commands:
-      - echo "Running pre-scan checks..."
-      - pip install -r requirements.txt
+      - echo "Building Docker Container"
+      - docker build -t $IMAGE_REPO_NAME:latest .
   build:
     commands:
-      - echo "Scanning dependencies for vulnerabilities with Trivy..."
-      - trivy fs --scanners vuln --severity HIGH,CRITICAL .
+      - echo "Scanning container for vulnerabilities with Trivy..."
+      # Fail the build on HIGH and CRITICAL vulnerabilities
+      - ./bin/trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE_REPO_NAME:latest
   post_build:
     commands:
-      - echo "Dependency scanning completed."
+      - echo "Container Scanning completed."
 
 artifacts:
   files:
     - "**/*"
   discard-paths: yes
-
-reports:
-  trivy_vulnerabilities:
-    files:
-      - "trivy-results.json"
-    file-format: JSON
+  

terraform/pipelines/modules/codepipeline/buildspecs/sastscanning.yml

@@ -3,35 +3,25 @@ version: 0.2
 phases:
   install:
     runtime-versions:
-      nodejs: 16
+      nodejs: 20
+      python: 3.12
     commands:
       - echo "Installing Snyk CLI..."
       - npm install -g snyk
       - snyk auth ${SNYK_TOKEN}  # Authenticate using the Snyk token
   pre_build:
     commands:
-      - echo "Preparing for Snyk scanning..."
-      - snyk test --json > snyk_test_results.json || true  # Run dependency scanning
+      - echo "Preparing for Snyk dependency scanning..."
+      # Fail the build if high or critical vulnerabilities are found
+      - snyk test --file=prerequirements.txt --severity-threshold=high
   build:
     commands:
-      - echo "Running Snyk security checks..."
-      - snyk code --json > snyk_code_results.json || true  # Run code scanning
+      - echo "Running Snyk code security checks..."
+      # Fail the build if high or critical code vulnerabilities are found
+      - snyk code test --severity-threshold=high
   post_build:
     commands:
       - echo "Snyk scanning completed."
-      - echo "Uploading reports..."
+
 artifacts:
-  files:
-    - snyk_test_results.json
-    - snyk_code_results.json
   discard-paths: no
-
-reports:
-  snyk_vulnerabilities:
-    files:
-      - snyk_test_results.json
-    file-format: JSON
-  snyk_code_issues:
-    files:
-      - snyk_code_results.json
-    file-format: JSON

terraform/pipelines/modules/codepipeline/main.tf

@@ -148,6 +148,15 @@ resource "aws_iam_policy" "codebuild_policy" {
           "${var.s3_bucket_arn}/*"
         ]
       },
+      {
+        Effect = "Allow"
+        Action = [
+          "codebuild:CreateReportGroup",
+          "codebuild:CreateReport",
+          "codebuild:UpdateReport"
+        ]
+        Resource = "*"
+      },
       {
         Effect = "Allow"
         Action = [
@@ -377,6 +386,11 @@ resource "aws_codebuild_project" "oss_scanning_project" {
     image           = var.build_image
     type            = var.environment_type
     privileged_mode = var.privileged_mode
+
+    environment_variable {
+      name  = "IMAGE_REPO_NAME"
+      value = aws_ecr_repository.this.name
+    }
   }
 
   source {