feat(codepipeline-actions): support InspectorEcrImageScanAction and InspectorSourceCodeScanAction actions

[go-to-k]

Issue # (if applicable)

Closes #33377.

Reason for this change

AWS CodePipeline introduces new build action: InspectorScan action.

• What's new: https://aws.amazon.com/jp/about-aws/whats-new/2024/11/aws-codepipeline-publishing-ecr-image-aws-inspectorscan-actions/
• Ref: https://docs.aws.amazon.com/codepipeline/latest/userguide/action-reference-InspectorScan.html
• IAM management: https://docs.aws.amazon.com/codepipeline/latest/userguide/security-iam.html#how-to-custom-role

Description of changes

Add InspectorEcrImageScanAction and InspectorSourceCodeScanAction classes that extends BaseInspectorScan class.

The BaseInspectorScan class that extends Action class to aws-codepipeline-actions module.

Describe any new or updated permissions being added

Description of how you validated changes

Both unit and integ tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (3154d01) to head (231c074).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33378   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112           

Flag	Coverage Δ
suite.unit	83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[go-to-k]

This and other common code are about the common behavior of the base class.

But as users are not aware of the base class because they call the subclasses directly, and in case there are any changes by contributors, it is also confirmation for regressions in the subclasses. Therefore, the tests in inspector-ecr-image-scan-action.test.ts and inspector-source-code-scan-action.test.ts are partially identical.
This also makes the test useful even if the base class is deleted and each class is implemented independently in the future.

[5d]

LGTM

[5d]

Great work! 👍 Thanks

[go-to-k]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/README.md without workflows permission

[go-to-k]

@5d
Thanks for your approval!

But the merge process doesn't seem to be running. Could you please address this?

[shikha372]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/README.md without workflows permission

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[go-to-k]

@5d @shikha372

I updated the branch locally to address the mergify error.

In addition, the following changes were made:

• The link on the cp-action's reference page seems to have changed in the last few days, so I changed that as well.
  • commit: 6cfd08c
• The already existing method for ecr:GetAuthorizationToken is now used.
  • commit: 81c8c5c
• A vulnerability was found in the Dockerfile for the integ test and the scan failed, so the threshold in the test was changed to avoid the error.
  • commit: b6edaf8
• Since the feature flag (@aws-cdk/pipelines:reduceStageRoleTrustScope) was introduced in this PR, changes to the snapshot occur unless specified in the integ tests. So specified the flag in the integ tests.
  • commit: bdb589d

Could you please check it again and merge it if you are okay?

[5d]

LGTM

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 231c074
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.