Loading...
Loading...
Run a fast AWS Security Agent diff scan on only the changed code since a git ref. Use when the user asks to scan changes, run a diff scan, check what changed for security issues, scan before committing, scan before PR, or any pre-commit/pre-push security check.
npx skill4agent add aws/agent-toolkit-for-aws diff-scanning-with-aws-security-agent.security-agent/config.jsonagent_space_idregionsetup-security-agent.security-agent/scans.json| Placeholder | How to resolve |
|---|---|
| |
| |
| |
| |
| |
| |
BASE_REF=HEADBASE_REF=maincd <absolute-workspace-path>
if [ "$BASE_REF" = "HEAD" ]; then
git diff HEAD > /tmp/diff.patch
else
git diff "$BASE_REF..HEAD" > /tmp/diff.patch
fi
[ -s /tmp/diff.patch ] || { echo "No changes vs $BASE_REF"; exit 1; }cd <absolute-workspace-path>
zip -r /tmp/source.zip . \
-x ".git/*" -x ".security-agent/*" -x "node_modules/*" \
-x "__pycache__/*" -x ".venv/*" -x "venv/*" \
-x "dist/*" -x "build/*" -x "target/*" \
-x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \
-x ".next/*" -x "cdk.out/*" -x ".DS_Store" -x "*.pyc"SCAN_ID="diff-$(date +%s)-$(openssl rand -hex 3)"
aws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip
aws s3 cp /tmp/diff.patch s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patchconfig.json → code_reviews[<abs_path>]aws securityagent create-code-review --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip}]aws securityagent start-code-review-job --agent-space-id <id> --code-review-id <cr-id> \
--diff-source s3Uri=s3://<bucket>/security-scans/diffs/${SCAN_ID}/diff.patchResourceNotFoundExceptioncodeReviewJobIdscans.jsonscan_type: "DIFF"base_refaws securityagent batch-get-code-review-jobs --agent-space-id <id> --code-review-job-ids <job_id>.security-agent/findings-{scan_id}.mdBASE_REF=HEADdiff-<git-branch>-<timestamp>