AWS CodePipeline Generator
Create secure AWS CodePipeline configurations with integrated security scanning and best practices.
What is AWS CodePipeline?
AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define.
Security Features
AWS CodeBuild Integration
Use AWS CodeBuild to run security scanning tools like SonarQube, OWASP Dependency Check, and more as part of your build process.
Amazon Inspector
Integrate Amazon Inspector to automatically assess applications for vulnerabilities or deviations from best practices.
AWS Security Hub
Connect your pipeline to AWS Security Hub to aggregate, organize, and prioritize security findings from multiple AWS services.
AWS Lambda for Custom Scanning
Use AWS Lambda functions to run custom security checks and validations as part of your pipeline.
Sample Pipeline
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Secure AWS CodePipeline with integrated security scanning",
"Resources": {
"ArtifactBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"VersioningConfiguration": {
"Status": "Enabled"
}
}
},
"CodeBuildServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/AmazonECR-FullAccess"
]
}
},
"CodePipelineServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess"
]
}
},
"BuildProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "CODEPIPELINE"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/amazonlinux2-x86_64-standard:3.0",
"PrivilegedMode": true
},
"ServiceRole": {
"Fn::GetAtt": [
"CodeBuildServiceRole",
"Arn"
]
},
"Source": {
"Type": "CODEPIPELINE",
"BuildSpec": "buildspec.yml"
}
}
},
"SecurityScanProject": {
"Type": "AWS::CodeBuild::Project",
"Properties": {
"Artifacts": {
"Type": "CODEPIPELINE"
},
"Environment": {
"Type": "LINUX_CONTAINER",
"ComputeType": "BUILD_GENERAL1_SMALL",
"Image": "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
},
"ServiceRole": {
"Fn::GetAtt": [
"CodeBuildServiceRole",
"Arn"
]
},
"Source": {
"Type": "CODEPIPELINE",
"BuildSpec": "securityscan.yml"
}
}
},
"Pipeline": {
"Type": "AWS::CodePipeline::Pipeline",
"Properties": {
"RoleArn": {
"Fn::GetAtt": [
"CodePipelineServiceRole",
"Arn"
]
},
"ArtifactStore": {
"Type": "S3",
"Location": {
"Ref": "ArtifactBucket"
}
},
"Stages": [
{
"Name": "Source",
"Actions": [
{
"Name": "Source",
"ActionTypeId": {
"Category": "Source",
"Owner": "AWS",
"Provider": "CodeStarSourceConnection",
"Version": "1"
},
"Configuration": {
"ConnectionArn": "arn:aws:codestar-connections:region:account-id:connection/connection-id",
"FullRepositoryId": "owner/repo",
"BranchName": "main"
},
"OutputArtifacts": [
{
"Name": "SourceCode"
}
]
}
]
},
{
"Name": "SecurityScan",
"Actions": [
{
"Name": "StaticAnalysis",
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "SecurityScanProject"
}
},
"InputArtifacts": [
{
"Name": "SourceCode"
}
],
"OutputArtifacts": [
{
"Name": "SecurityScanOutput"
}
]
}
]
},
{
"Name": "Build",
"Actions": [
{
"Name": "BuildAndTest",
"ActionTypeId": {
"Category": "Build",
"Owner": "AWS",
"Provider": "CodeBuild",
"Version": "1"
},
"Configuration": {
"ProjectName": {
"Ref": "BuildProject"
}
},
"InputArtifacts": [
{
"Name": "SourceCode"
}
],
"OutputArtifacts": [
{
"Name": "BuildOutput"
}
]
}
]
},
{
"Name": "Deploy",
"Actions": [
{
"Name": "DeployToStaging",
"ActionTypeId": {
"Category": "Deploy",
"Owner": "AWS",
"Provider": "CloudFormation",
"Version": "1"
},
"Configuration": {
"ActionMode": "CREATE_UPDATE",
"StackName": "StagingStack",
"TemplatePath": "BuildOutput::template.yaml",
"Capabilities": "CAPABILITY_IAM",
"RoleArn": "arn:aws:iam::account-id:role/CloudFormationRole"
},
"InputArtifacts": [
{
"Name": "BuildOutput"
}
]
}
]
}
]
}
}
}
}Security Scan BuildSpec Example
version: 0.2
phases:
install:
runtime-versions:
java: corretto11
commands:
# Install security scanning tools
- pip install safety
- wget -O /tmp/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip
- unzip /tmp/sonar-scanner.zip -d /opt
- export PATH=$PATH:/opt/sonar-scanner-4.6.2.2472-linux/bin
pre_build:
commands:
# Prepare for security scanning
- echo "Preparing for security scanning"
- export SONAR_SCANNER_OPTS="-Dsonar.projectKey=my-project -Dsonar.sources=. -Dsonar.host.url=https://sonarqube.example.com -Dsonar.login=$SONAR_TOKEN"
build:
commands:
# Run security scans
- echo "Running security scans"
- sonar-scanner
- safety check -r requirements.txt --json > safety-report.json
- |
if [ -f package.json ]; then
npm audit --json > npm-audit.json
fi
- |
if [ -f pom.xml ]; then
mvn org.owasp:dependency-check-maven:check
fi
post_build:
commands:
# Check scan results and fail if necessary
- echo "Checking scan results"
- |
if grep -q "high" safety-report.json; then
echo "High severity vulnerabilities found in Python dependencies"
exit 1
fi
- |
if [ -f npm-audit.json ] && grep -q "high|critical" npm-audit.json; then
echo "High or critical severity vulnerabilities found in npm dependencies"
exit 1
fi
artifacts:
files:
- safety-report.json
- npm-audit.json
- target/dependency-check-report.xml
discard-paths: noGetting Started
- Set up AWS CodePipeline in your AWS account
- Create a CloudFormation template for your pipeline configuration
- Configure security scanning in your buildspec files
- Set up appropriate IAM roles for your pipeline and build projects
- Deploy your pipeline using CloudFormation or the AWS Console
Advertisement