Conversation
…Azure/AWS) Surface AWS/GCP/Azure cloud-posture services as integration-platform integrations whose checks satisfy evidence tasks — a separate feature from Cloud Tests, which is left untouched. - 24 code-based manifest checks (GCP 5, Azure 11, AWS 8), each mapped to an evidence task; AWS checks assume the cross-account IAM role (STS) and use the AWS SDK, with the security logic in pure, unit-tested evaluators - per-service mappedTasks added to both provider API projections (buildServiceTaskMappings) + IntegrationProviderResponse.services type - per-service detail page: Cloud Tests scan toggle on top, "evidence provided" map linking to the tasks each service satisfies; cloud detail-page service rows navigate to it (status + task count, no inline toggle) Cloud Tests (apps/api/src/cloud-security + cloud-tests UI) is unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
… bugs Independently verified all 37 cubic-dev-ai findings (30 real, 7 false positives) and fixed the 30 real ones. Highlights: - False pass / missed exposure: Azure SQL minimalTlsVersion 'None'; GCP firewall evaluating only the first TCP tuple; IPv6 (::/0) missed by AWS EC2 + GCP VPC + Azure NSG; Azure NSG port-range parsing; Azure SQL firewall-read errors no longer coerced to a clean pass; Azure storage/key-vault honor publicNetworkAccess=Disabled; AWS S3 unions account-level Block Public Access; AWS KMS only evaluates rotation-eligible (symmetric/AWS_KMS) keys; Azure Entra detects dataActions wildcards + permission-based privileged roles; Azure monitor requires enabled log categories and fails on unreadable alerts. - Robustness: pagination for GCP storage/vpc/cloud-sql lists; GCP IAM pass scoped to direct project bindings; GCP Cloud SQL replicas skipped; discovery errors surfaced via ctx.warn; AWS S3 followRegionRedirects; root-key wording; per-service toggle gated on manageable services; task-fetch error state; a shared task-template helper (dedup). Adds @aws-sdk/client-s3-control. +7 regression tests (146 package tests pass). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ings' into worktree-cloud-posture-task-mappings
Verified all 10 follow-up findings and fixed them: - AWS CloudTrail: require GetTrailStatus.IsLogging (a multi-region+validated trail can be stopped → was a false pass) - AWS S3 encryption: distinguish "no encryption configured" from read errors; indeterminate buckets are excluded instead of failed - Azure ARM pagination: validate nextLink stays on the ARM host before following (don't send the bearer token to an unexpected host) - GCP IAM: evaluate inherited folder/org bindings (ancestry walk); only emit a pass when the full hierarchy was readable and clean - GCP Cloud SQL SSL: sslMode takes precedence over legacy requireSsl - Azure NSG: only flag SSH/RDP/DB on TCP/any-protocol rules - AWS region parsing rejects blank strings; IAM no-policy detection broadened - ServiceCard shows "Always scanned" (not "Scanning off") for baseline services - ServiceDetailView validates the URL connectionId against the provider's connections before using it + regression tests. 149 package tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…IPv6 wording - AWS KMS: wrap DescribeKey in try/catch so one unreadable key is skipped instead of aborting the entire rotation scan - AWS RDS: skip Aurora instances in the backups check — Aurora backups are cluster-level and the instance BackupRetentionPeriod is unreliable, so coercing it to 0 was a false "backups disabled" finding - GCP VPC: failure description + remediation now reference the actual open public range(s) (0.0.0.0/0 and/or ::/0) instead of hardcoded IPv4 + regression tests (Aurora skip). 149 package tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Backend checks — apply cross-cutting correctness patterns uniformly:
- error-reads-never-silent-pass: Azure monitor/sql now FAIL (not silently
pass) when diagnostic-settings, SQL auditing, or firewall reads error;
s3 BPA read errors mark public-access indeterminate instead of "missing";
entra-id emits "could not verify" when role definitions can't be resolved.
- per-project resilience (GCP): cloud-sql-backups/ssl, storage, vpc, iam
wrap each project in try/catch so one project's API error no longer aborts
the whole check; project-scoped resourceIds (`${projectId}/${name}`) so
same-named resources across projects don't collide.
- AWS Aurora evaluated at CLUSTER level (DescribeDBClusters) for encryption
and backups; Aurora instances excluded from instance-level checks (no more
false failures).
- protocol gating: EC2/Azure-NSG only flag SSH/RDP/DB on TCP/any-protocol;
all-ports detection now matches explicit full ranges (0-65535), not just '*'.
- CloudTrail scans all selected regions (dedupe by ARN) and treats an
unreadable GetTrailStatus as unknown, not a false "not logging" failure.
- GCP storage: drop the publicAccessPrevention='inherited' false-positive
(org policy may enforce it); keep uniform-bucket-level-access signal.
- VPC firewall check honestly scopes itself to VPC rules (records
firewallPoliciesEvaluated:false) rather than over-claiming.
- input hygiene: trim Azure subscription_id; sanitize GCP project_ids with
fallback to discovery; warn on pagination page-cap truncation.
- entra-id: permission-based privileged-role classification (role-name set is
fallback only); broader wildcard-action detection; resolve cross-scope role
definitions so privileged principals aren't undercounted.
Frontend:
- scan-status no longer shows "Always scanned" before live data loads or on
fetch error — shows Checking…/Status unavailable; baseline (non-manageable)
services never render as "scanning off".
- surface connection-fetch errors instead of swallowing them as an empty list.
- shared EvidenceTaskRow + loadIntegrationPageData remove the duplicated row
markup and data-loading between the provider and per-service pages.
Tests: +6 regressions (RDS cluster evaluators, NSG all-ports range, UDP not
flagged as SSH, CloudTrail unknown-status, GCP PAP-inherited). 156 pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…iles
Proactive hardening from an adversarial audit of every cloud check file —
applies the same patterns cubic established (per-item resilience, fail-closed
on unverified reads, scoped resourceIds, no silent truncation) to the files it
hadn't deep-reviewed, so they don't surface as the next review round:
- AWS EC2 + RDS: wrap each region in try/catch so one opted-out / restricted /
throttled region no longer aborts the whole scan (matches the GCP per-project
fix). RDS instance/cluster resourceIds are now region-scoped
(`${region}/${id}`) — RDS identifiers are user-chosen and only unique per
region, so same-named DBs across regions previously collided.
- AWS CloudTrail: an otherwise-compliant trail whose GetTrailStatus can't be
read now emits a "could not verify" failure instead of nothing — consistent
with the error-reads-never-silent-pass rule applied to Azure monitor/sql/
entra-id; an unverified control must not be recorded as satisfied.
- GCP project auto-discovery: paginate via nextPageToken (bounded, warns at the
cap) instead of evaluating only the first 50 projects and silently dropping
the rest, which would yield false "all clean" evidence for unscanned projects.
Audit confirmed the remaining candidates were already handled (gcpListItems
paginates + warns; Azure SSE is always-on; diagnosticSettings don't paginate;
NSG loop has no per-item I/O). Tests: +1 discovery-pagination regression, +1
cloudtrail unverified-status regression updated. 157 pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…mits - GCP Cloud Storage public-access: uniform bucket-level access alone does NOT prevent public access — a bucket is public if its IAM policy grants allUsers/allAuthenticatedUsers. Now reads each bucket's IAM policy: publicAccessPrevention 'enforced' passes definitively (no IAM read); a public IAM member fails (high); an unreadable policy fails "could not verify" (never a silent pass); UBLA-disabled remains a medium finding (object ACLs can't be verified from the bucket policy). Keeps the round-4 fix of not failing on publicAccessPrevention 'inherited' alone. - AWS EC2 + RDS: a per-region read failure was logged but swallowed, so a total (or partial) read failure could end with no findings — a silent clean run. Now each failed region is surfaced as a medium "could not verify" failure (EC2 inline; RDS via failUnverifiedRegions over both instance and cluster scans), consistent with the error-reads-never-silent-pass rule. session.regions is the customer-configured region set, so this only fires on genuine failures. Tests: +3 storage regressions (allUsers→fail high, PAP-enforced→pass without IAM read, IAM-read-error→could-not-verify); discovery test updated for per-bucket resourceId. 160 pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ings' into worktree-cloud-posture-task-mappings
… of 5) Reviewed the 5 findings from cubic's review of the merge commit; fixed the 4 genuine ones (the 5th is a deliberate design choice, see below): - GCP project auto-discovery (P1): dropped the org/parent filter. A `parent.id` filter without `parent.type` is ambiguous AND silently excludes folder-nested projects — both drop projects that should be scanned. Now lists every active accessible project (lifecycleState:ACTIVE), paginated; users scope via project_ids. Removes the org-search round-trip entirely. - AWS S3 (P2): indeterminate buckets (encryption / Block-Public-Access read failed) were filtered out, so an all-unreadable account passed with no findings. Both evaluators now emit a medium "could not verify" per indeterminate bucket instead of dropping it — consistent with the error-reads-never-silent-pass rule used for EC2/RDS/CloudTrail. - Azure subscription auto-detect (P2): no longer falls back to the first subscription regardless of state (could be Disabled/PastDue → failing calls); selects an Enabled subscription or returns null so the check no-ops cleanly. - ServiceCard (P2): URL-encode the dynamic path/query segments of the service detail link. Deferred (P3): the AWS STS assume-role "duplication" — the cited helper (aws/helpers/aws-client.ts) is pre-existing, used by no check, and returns pre-built service clients with a legacy access-key branch; the per-region checks intentionally use their own raw-credential helper. Coupling them would be worse, and independent copies are the agreed design. Tests: +1 S3 all-indeterminate regression; encryption test updated. 161 pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-error states)
- ServiceDetailView (P2, security): the Cloud Tests scanning toggle had no RBAC
gate, so a view-only user could flip a setting the API restricts to
integration:update. Now gated with usePermissions().hasPermission('integration',
'update') — users without it see a read-only "Scanning on/off" status; the
toggle handler also early-returns without the permission.
- ServiceDetailView (P2, UX): status showed "Checking…" forever when the
provider has no active connection (null connectionId was treated as loading).
Added an explicit "Not connected" state and split loading/error/baseline.
- AWS KMS (P1): the rotation check returned with no findings when rotation
status was unreadable for all eligible keys — masking a permission gap as a
clean run. Now each eligible key emits an outcome; unreadable status →
medium "could not verify". Only no-ops when there are no eligible keys.
- AWS CloudTrail (P1): a failed DescribeTrails in every region produced an
empty trail list, which evaluated to a false high "No CloudTrail configured".
Now tracks failed regions and, when no trails were found AND a region failed,
reports a medium "could not verify" instead of a fabricated finding.
Tests: KMS test updated + all-unreadable regression; +1 KMS regression. 162 pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ings' into worktree-cloud-posture-task-mappings
…alse verdict Adversarial sweep of every check run()/helper against the verified engine contract (an uncaught throw → status 'error' → task 'failed' [visible]; a run that emits NO outcomes → task status UNCHANGED [silent/stale]). Fixes the real silent-pass paths and converts read-error aborts into explicit "could not verify" findings so a permission/transient failure can never read as compliant: GCP (the genuine silent passes — per-project catch emitted ctx.warn + skipped, so an all-projects-failed run left the task stale): - vpc-open-firewalls, storage-public-access, cloud-sql-backups, cloud-sql-ssl, iam-primitive-roles: per-project catch now emits a project-scoped "could not verify" ctx.fail instead of warn-and-continue. AWS: - New resolveAwsSessionOrFail() wraps STS AssumeRole: an assume-role failure now emits "could not assume AWS role" (could-not-verify) instead of aborting; wired into all 6 AWS checks. - Top-level list reads that previously threw uncaught now surface could-not- verify: iam GetAccountSummary, kms ListKeys (per region), s3 ListBuckets (both checks). kms DescribeKey failures already tracked as unreadable. Azure: - New armListAllOrFail() emits "could not verify <resource>" (and returns null) when the primary ARM list throws; wired into storage (×3), sql (×3), key-vault, network, and entra-id (role assignments + definitions). Each caller now guards on null and stops rather than aborting the check. Tests: +2 GCP regressions (storage/vpc project-read failure → could not verify, not a silent pass). 164 pass. Build clean. Pre-existing (NOT changed here — flagged separately, out of this PR's scope): GcpProjectPicker RBAC gate, ActivitySection/provider.id URL encoding — they live in pre-existing cloud-tests components this PR does not modify. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- IAM: split evaluateIamAccount into evaluatePasswordPolicy + evaluateAccountSummary. run() now emits the password-policy findings BEFORE the account-summary read, so a GetAccountSummary failure surfaces "could not verify" without discarding the already-obtained password-policy findings (independent evaluations). - KMS: the "Could not verify KMS keys" finding now reports ListKeys (region) and DescribeKey (key) failures distinctly, and the remediation includes kms:ListKeys. Previously all entries were attributed to "DescribeKey failed". Tests: +1 IAM regression (password-policy evaluation stands alone). 165 pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…il region, tag per-service checks Addresses the cubic review of 63dab6d (and the prior d59e4c7 review). - gcp/iam-primitive-roles: a project whose own getIamPolicy read failed was silently skipped (getBindings swallows the throw → null → `continue` with no outcome), leaving the RBAC task stale-passing. Now fails closed with a "could not verify" finding via a shared helper (reused by the outer per-project catch). Real P1 (identified by cubic). - aws/cloudtrail: query GetTrailStatus against the trail's home region instead of the scan-region client. Hardening — the ARN-based read works cross-region per AWS shadow-trail docs (and Prowler), and a failure was already caught as a safe "could not verify"; home-region removes the ambiguity. (cubic finding; the stated false-failure does not occur, but home-region is unambiguously correct.) - connections per-service task counts: buildServiceTaskMappings groups checks by `service` === serviceId, but Vercel/Aikido/Google-Workspace checks were untagged, so their service cards showed 0 evidence tasks. Tag those 7 checks with their service id (every other multi-service provider already tags its checks). Real P2 (identified by cubic). - Add a manifest-integrity test: every check in a service-defining manifest must be tagged with a real service id (prevents this regression recurring), plus a GCP regression test for the project-policy read failure. cubic's page.tsx connectionId finding is a false positive — ServiceDetailView already validates the URL id against the provider's connections and falls back to the active connection. 203 package tests pass; tsc build clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ac wildcard scan Addresses the cubic review of cdde662. - azure/entra-id (rbacLeastPrivilegeCheck): the wildcard custom-role scan only iterated the subscription-scope `definitions` list, so a wildcard CustomRole defined at a management-group/resource-group scope and assigned into the subscription was missed — the privileged-assignment path already resolves those out-of-scope defs (resolvedDefs) but the wildcard path ignored them. Worst case: a role whose wildcard is a mid-path/dataActions-only action (not high-privilege) is missed by BOTH paths. Now scans the union of `definitions` + `resolvedDefs` (deduped by id). Real P2 (identified by cubic). - Add regression tests: MG-scoped wildcard role flagged; SQL firewall read failure fails closed with a medium "Could not read SQL firewall rules" (guards the earlier false-pass finding); off-host nextLink is not followed (guards the earlier bearer-token-exposure finding). Verified NOT bugs / dismissed (with evidence): - gcp/shared.ts empty project_ids: cubic applied the cloud-security convention ([]=scan nothing) to integration-platform, where the convention is the opposite ("leave empty = check all"); honoring [] here would create the exact silent stale-pass the engine contract forbids. Left as-is. - aws/shared.ts STS "duplication" (P3): the existing createAWSClients helper is dead code (no callers), architecturally unfit for reuse, and reusing it would regress the engine-contract-compliant error handling. Left as-is. - page.tsx connectionId, azure sql firewall->[], azure nextLink token exposure, ipv6 ::/0 across gcp/aws/azure, azure monitor partial-eval: all already fixed in current code (re-verified). 206 package tests pass; tsc build clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…appings feat(integrations): cloud services (AWS/GCP/Azure) as evidence integrations
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
3 issues found across 51 files
Confidence score: 2/5
- There is a high-confidence security concern in
packages/integration-platform/src/manifests/azure/checks/shared.ts:armListAllvalidatesnextLinkbut not the initialurl, which can weaken SSRF/token-leakage protections on the first fetch. packages/integration-platform/src/manifests/aws/checks/s3.tshas concrete user-impact risk: account-level S3 BPA read failures may be reported as high-severity bucket failures instead of an unverified state, which can mislead operators.apps/app/src/app/(app)/[orgId]/integrations/[slug]/page.tsxdropstasksErrored, so task-load errors can appear as “Not added,” reducing UI accuracy during failures.- Pay close attention to
packages/integration-platform/src/manifests/azure/checks/shared.ts,packages/integration-platform/src/manifests/aws/checks/s3.ts,apps/app/src/app/(app)/[orgId]/integrations/[slug]/page.tsx- security validation parity, failure-state classification, and error-state rendering need verification before merge.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/app/src/app/(app)/[orgId]/integrations/[slug]/page.tsx">
<violation number="1" location="apps/app/src/app/(app)/[orgId]/integrations/[slug]/page.tsx:18">
P2: Provider detail page drops `tasksErrored`, causing task-load failures to be misreported as “Not added.”</violation>
</file>
<file name="packages/integration-platform/src/manifests/azure/checks/shared.ts">
<violation number="1" location="packages/integration-platform/src/manifests/azure/checks/shared.ts:46">
P1: Initial `url` in `armListAll` is not validated as an ARM URL before the first fetch, while `nextLink` is. The same SSRF/token-leakage protection should apply to the initial request.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
| let nextUrl: string | undefined = url; | ||
| let pages = 0; | ||
| while (nextUrl && pages < 50) { | ||
| const data: { value?: T[]; nextLink?: string } = await ctx.fetch(nextUrl); |
Contributor
There was a problem hiding this comment.
P1: Initial url in armListAll is not validated as an ARM URL before the first fetch, while nextLink is. The same SSRF/token-leakage protection should apply to the initial request.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/azure/checks/shared.ts, line 46:
<comment>Initial `url` in `armListAll` is not validated as an ARM URL before the first fetch, while `nextLink` is. The same SSRF/token-leakage protection should apply to the initial request.</comment>
<file context>
@@ -0,0 +1,96 @@
+ let nextUrl: string | undefined = url;
+ let pages = 0;
+ while (nextUrl && pages < 50) {
+ const data: { value?: T[]; nextLink?: string } = await ctx.fetch(nextUrl);
+ if (Array.isArray(data.value)) out.push(...data.value);
+ nextUrl = data.nextLink;
</file context>
| serverApi.get<ConnectionListItemResponse[]>('/v1/integrations/connections'), | ||
| serverApi.get<TaskApiResponse>('/v1/tasks'), | ||
| ]); | ||
| const { provider, providerErrored, connections, taskTemplates } = |
Contributor
There was a problem hiding this comment.
P2: Provider detail page drops tasksErrored, causing task-load failures to be misreported as “Not added.”
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/app/src/app/(app)/[orgId]/integrations/[slug]/page.tsx, line 18:
<comment>Provider detail page drops `tasksErrored`, causing task-load failures to be misreported as “Not added.”</comment>
<file context>
@@ -28,28 +15,13 @@ export default async function ProviderDetailPage({ params, searchParams }: PageP
- serverApi.get<ConnectionListItemResponse[]>('/v1/integrations/connections'),
- serverApi.get<TaskApiResponse>('/v1/tasks'),
- ]);
+ const { provider, providerErrored, connections, taskTemplates } =
+ await loadIntegrationPageData(slug, { sortTasks: true });
</file context>
… not portal={false}
portal={false} fixed the insta-close but mis-positioned the popup to the
bottom-right corner: rendering inline put its `position: fixed` inside the Radix
DialogContent, which is centered with a CSS transform — and a transformed
ancestor becomes the containing block for fixed descendants.
Root mechanism: Radix's dismissable-layer sets `body { pointer-events: none }`
for modal dialogs. The DS Select popup portals to body, inherits none, so its
mouseup passes through and base-ui cancels the open ("insta-closes").
Keep the popup portaled (so it stays anchored to the trigger) and set
`style={{ pointerEvents: 'auto' }}` on it so it's clickable despite the body
lock. Harmless in the DS Sheet consumer (AccountSettingsSheet), which doesn't
lock body pointer-events. Updates the regression test accordingly.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…n-position fix(integrations): anchor config dropdown to its field (follow-up to #3005)
…k outcomes
The AWS IAM check showed pass/fail rows with no "View Evidence" expander because
several outcomes attached no evidence. The frontend (TaskIntegrationChecks)
already renders "View Evidence" for any outcome with a non-empty evidence
object, so the gap was purely in the checks.
Audited evidence coverage across all checks: GCP, Azure, and AWS s3/ec2/rds/kms
already attach evidence to every outcome. Only iam.ts (5 of 8 outcomes) and one
cloudtrail.ts outcome were missing it.
Attach meaningful evidence:
- iam: "No IAM password policy" -> { passwordPolicyConfigured: false }; root MFA
enabled/disabled -> { accountMFAEnabled }; root access keys present/absent ->
{ accountAccessKeysPresent }. (Weak/strong password policy already included the
policy object.)
- cloudtrail: "No CloudTrail configured" -> { trailsFound: 0 }.
Add tests asserting every IAM password-policy and root-summary outcome, plus the
"No CloudTrail configured" outcome, carry non-empty evidence so the UI shows
"View Evidence". 214 package tests pass; build clean.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…down fix(app): keep integration check dropdowns open
… on every check outcome
Comprehensive evidence-quality pass across all providers. Previously many
outcomes attached only a resource id (e.g. KMS { keyId, region }, Azure passes
with just an account/vault name) — present but THIN: an auditor couldn't see the
value that drove the pass/fail. One Azure monitor fail had empty evidence {}.
Audited every outcome in every check against: evidence must show (1) the
resource/scope AND (2) the value that determined the verdict. Enriched the thin
ones (proof for passes, the offending value for fails):
- AWS: s3 (encrypted, BPA flags), ec2 (offending protocol/cidrs/ports), rds
(encrypted, backupRetentionDays), kms (rotationEnabled), cloudtrail
(multiRegion/logging/logValidation per trail).
- GCP: cloud-sql (backupsEnabled, sslMode/requireSsl), storage (publicMembers,
uniformBucketLevelAccess), iam-primitive-roles (scopesEvaluated, count).
- Azure: entra-id (threshold, principal ids/types, wildcard actions), storage
(https/tls/public/encryption flags), sql (publicNetworkAccess, reason,
firewallRuleCount, auditing state), key-vault (softDelete/purge/rbac flags),
network (exposure/sources/ports/protocol, rules evaluated), monitor
(configured vs recommended ops, export destinations, settings count).
GCP/Azure/AWS s3/ec2/rds/kms were already 100% present; this makes the CONTENT
meaningful. Build clean; 215 package tests pass (added determining-value
assertions for S3 encryption + KMS rotation; the IAM/CloudTrail evidence
regression tests remain).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ofik/aws-check-evidence
…h enabled logs Addresses the cubic review of #3011. The "Diagnostic log export configured" evidence flagged exportsToLogAnalytics/Storage/EventHub on destination presence across all settings, but the pass verdict (hasExport) requires a destination AND an enabled log category. So a setting with a destination but disabled logs could make the evidence claim that destination exports when it doesn't — a misleading pass rationale. Gate each destination flag on the same enabled-logs condition via a shared hasEnabledLogs helper (also used by hasExport) so the evidence reflects what actually exports. Build clean; 215 tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ofik/aws-check-evidence
fix(integration-platform): meaningful "View Evidence" on every check outcome (all providers)
fix(integrations): refresh oauth tokens during checks
Contributor
|
🎉 This PR is included in version 3.68.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Expose AWS, GCP, and Azure services as evidence integrations mapped to tasks, add a per‑service page linking checks to the tasks they satisfy, hide tasks not added to the org, align service‑card evidence counts with org tasks, refresh OAuth tokens during checks, and enrich evidence details across all outcomes.
New Features
mappedTasksonIntegrationProviderResponse.services.EvidenceTaskRow,loadIntegrationPageData, and task‑template mapping with clear loading/error states.Bug Fixes
regions); controllers pass decrypted credentials unchanged; runtime types acceptstring | string[](removed the flattener).SECURITY_HUB_ROLE_ASSUMER_ARN.pointerEvents: 'auto'.scopeand providertokenParamsto refresh/get‑token; guard reserved refresh params; newensure‑valid‑credentialstrigger with a 30‑second timeout to avoid hanging calls.Written for commit a080ec8. Summary will update on new commits.