feat: using Amazon CodeGuru Security in place of Amazon CodeGuru Reviewer

Author: reste85

.codecatalyst/workflows/build.yaml

@@ -41,50 +41,35 @@ Actions:
       # Required - Steps are sequential instructions that run shell commands
       Steps:
         - Run: ./mvnw -ntp clean
-  CodeGuruReview:
+  Code_Security_Review:
     DependsOn:
       - Mvn_Clean
-    Identifier: aws/build@v1.0.0
+    # Identifies the action. Do not modify this value.
+    Identifier: codecatalyst-labs/scan-with-codeguru-security@v1.0.0
+
+    # Specifies the source and/or artifacts to pass to the action as input.
     Inputs:
       # Optional
       Sources:
         - WorkflowSource # This specifies that the action requires this Workflow as a source
     Outputs:
       Reports:
-        MySAReport:
+        CodeguruSecuritySAST:
           Format: SARIFSA
           IncludePaths:
-            - output/recommendations.sarif.json
-    #          SuccessCriteria:
-    #            StaticAnalysisBug:
-    #              Number: 25
-    #              Severity: HIGH
-    #            StaticAnalysisSecurity:
-    #              Number: 5
-    #              Severity: CRITICAL
-    #            StaticAnalysisQuality:
-    #              Number: 10
-    #              Severity: INFORMATIONAL
+            - codegurusecurity.sarif
     Configuration:
-      # Required - Steps are sequential instructions that run shell commands
-      Steps:
-        # use run-tests $FRAMEWORK to enable advanced testing features such as test case retries
-        # see info link in shell commands section for more details
-        - Run: curl -OL https://github.com/aws/aws-codeguru-cli/releases/download/0.1.0/aws-codeguru-cli.zip
-        - Run: unzip aws-codeguru-cli.zip
-        - Run: export PATH=$PATH:./aws-codeguru-cli/bin
-        - Run: ./mvnw -ntp verify
-        - Run: aws-codeguru-cli --root-dir ./ --build target/classes --src src --output ./output --no-prompt
-    Compute:
-      Type: EC2
+      GenerateReport: true
+      Path: src
+    # Required; You can use an environment, AWS account connection, and role to access AWS resources.
     Environment:
       Connections:
         - Role: CodeCatalystTestEnvironmentRole
           Name: "123456789012"
       Name: TestEnvironment
   Mvn_Build_And_Deploy:
     DependsOn:
-      - CodeGuruReview
+      - Code_Security_Review
     # Identifies the action. Do not modify this value.
     Identifier: aws/build@v1.0.0
     # Specifies the source and/or artifacts to pass to the action as input.

CodeCatalystRolePolicyExample.json

@@ -13,31 +13,13 @@
     },
     {
       "Action": [
-        "codeguru-reviewer:ListRepositoryAssociations",
-        "codeguru-reviewer:AssociateRepository",
-        "codeguru-reviewer:DescribeRepositoryAssociation",
-        "codeguru-reviewer:CreateCodeReview",
-        "codeguru-reviewer:DescribeCodeReview",
-        "codeguru-reviewer:ListRecommendations",
-        "iam:CreateServiceLinkedRole"
+        "codeguru-security:CreateUploadUrl",
+        "codeguru-security:CreateScan",
+        "codeguru-security:GetScan",
+        "codeguru-security:GetFindings"
       ],
       "Resource": "*",
       "Effect": "Allow"
-    },
-    {
-      "Action": [
-        "s3:CreateBucket",
-        "s3:GetBucket*",
-        "s3:List*",
-        "s3:GetObject",
-        "s3:PutObject",
-        "s3:DeleteObject"
-      ],
-      "Resource": [
-        "arn:aws:s3:::codeguru-reviewer-cli-*",
-        "arn:aws:s3:::codeguru-reviewer-cli-*/*"
-      ],
-      "Effect": "Allow"
     }
   ]
 }

README.md

@@ -1,7 +1,7 @@
 # CodeCatalyst CI Workflows for Java-SpringBoot Application
 * This is a simple example of two Continuous Integration workflows created in CodeCatalyst for a Java & Spring-Boot based backend application. The application exposes one API to perform a sum between integers Calculation
 * The repository includes, inside the `.codecatalyst/workloads` folder, the definition of two CodeCatalyst workflows:
-  * `build.yaml`: the workflow builds the jar, performs a CodeGuru Reviewer full-repository scan, uploads it to CodeArtifact, builds the Docker images, uploads it to ECR
+  * `build.yaml`: the workflow builds the jar, performs a CodeGuru Security review, uploads it to CodeArtifact, builds the Docker images, uploads it to ECR
   * `test.yaml`: the workflow perform unit and coverage tests on code
 
 
@@ -55,16 +55,15 @@ For unit testing we leverage JUnit 5, and for coverage test we leverage Jacoco C
 This workflow performs several steps, more specifically:
 * Listing files
 * Maven Cleaning
-* Performs a CodeGuru Reviewer full-repository scan (the report that will be produced will be available for each run)
+* Performs a Code Security Review (the report that will be produced will be available for each run)
 * Building the jar & uploading it to CodeArtifact repository 
 * Building the Docker image and uploading it to ECR 
 
 ![](images/build_workflow.png?raw=true)
 
 ## Resources
 * [Setting up CodeCatalyst](https://docs.aws.amazon.com/codecatalyst/latest/userguide/setting-up-topnode.html)  
-* [Getting Started with CodeGuru Reviewer](https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/getting-started-with-guru.html)  
-* [CodeGuru Reviewer Wrapper CLI](https://github.com/aws/aws-codeguru-cli)
+* [Getting Started with CodeGuru Security](https://docs.aws.amazon.com/codeguru/latest/security-api/Welcome.html)
 * [Getting started with CodeArtifact](https://docs.aws.amazon.com/codeartifact/latest/ug/getting-started.html) 
 * [Amazon ECR User Guide](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html)