Conversation
… + auto-remediation
Customer-reported: AWS auto-remediation for "AWS Config recorder not fully
active" generated empty configs, the Retry button did nothing, and applying a
generated fix failed and fell back to dated manual steps. Root cause: the
entire Config check + auto-fix assumed the legacy `recordingGroup.allSupported`
model, but the customer's recorder uses AWS's current model ("Record all
resource types with customizable overrides" = recordingStrategy /
exclusionByResourceTypes).
- config.adapter: the recorder check now treats
recordingStrategy.useOnly === 'ALL_SUPPORTED_RESOURCE_TYPES' (and legacy
allSupported) as "records all", eliminating false positives on the new
model. Genuine EXCLUSION/INCLUSION recorders stay flagged.
- config.adapter: remediation guidance now produces an AWS-valid call —
read the existing recorder, then PutConfigurationRecorder with a clean
recordingGroup { allSupported: true, includeGlobalResourceTypes: true } and
NO recordingStrategy/exclusionByResourceTypes/resourceTypes (those are
mutually exclusive with allSupported and trigger a ValidationException). This
also records the global IAM resource types the customer was missing.
- aws-command-executor: deterministic guardrail (normalizeConfigRecordingGroup)
collapses any all-supported-intent PutConfigurationRecorder to the single
valid shape right before the SDK call, regardless of what the AI emits.
- remediation.service: never cache an empty / non-auto-fixable plan and drop
the stale entry on execute — this is what made "Retry" a guaranteed no-op
(it reloaded the same dead plan). Retry now regenerates.
- ai-remediation.service: generateFixPlan retries once at a higher temperature
when the first pass yields zero fix steps (temp 0 would reproduce it).
- prompts: discourage S3 ACL steps (cause of empty plans), reinforce the valid
Config recorder call, and base manual steps on the current AWS Console.
- RemediationDialog: disable "Apply Fix" on an empty plan and explain why.
Tests: new config.adapter.spec, recordingGroup-normalizer and retry-on-empty
cases; full cloud-security jest suite green (288 passing).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Retry-no-op and empty-plan bugs fixed for AWS also existed in the separate GCP and Azure remediation paths (own services + own planCache + own generators). Bring them to parity. GCP (gcp-remediation.service.ts): - isUsablePlan guard: never cache an empty / non-auto-fixable plan; on execute, only reuse a fresh AND usable cached plan and drop the stale entry otherwise (was the Retry no-op — execute reloaded the same dead plan). Azure (azure-remediation.service.ts): - Same isUsablePlan cache guard on preview + execute. - Delete the cached plan in the execute catch block so Retry regenerates. - If the refined plan flips canAutoFix to false, return guided steps instead of a misleading auto-fix preview. GCP + Azure generators (ai-remediation.service.ts): - generateGcpFixPlan / generateAzureFixPlan now retry once at a higher temperature when the first pass yields zero fix steps (temp 0 reproduces it). Tests: GCP/Azure empty-plan retry cases added; full cloud-security jest suite green (292 passing). Typecheck clean for all changed files. Note (flagged, NOT changed here — separate scope / higher risk): - GCP/Azure scanners swallow per-adapter/per-scope errors (return [] on failure), so a real API/permission failure can look like "0 findings". - GCP Cloud SQL databaseFlags is a REPLACE op with no guard that all existing flags are preserved; disabling public IP has no private-IP precondition check. These are real but need their own design + tests before touching. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…y + retry selection - ai-remediation.prompt.ts: use bare AWS SDK command names (with the service named separately) in the new S3 + Config guidance, matching the OUTPUT RULES schema — the prior "s3:PutPublicAccessBlockCommand" / "config-service:..." shorthand could nudge the model to emit a service-prefixed (invalid) command value. Add the missing "Command" suffix to GetBucketPolicy. Remove PutBucketAcl from the "permissions you need" chain so it no longer contradicts the new "never use ACLs" rule. - ai-remediation.service.ts: the empty-plan retry now prefers a retry that is usable OR correctly canAutoFix=false (routes to guided steps) instead of discarding it and returning the original empty canAutoFix=true plan. Applied to AWS, GCP, and Azure generators. - Test: retry prefers a non-auto-fixable result. cloud-security jest suite green (293 passing); changed files typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ediation-fix fix(cloud-security): AWS Config new recording model + GCP/Azure remediation robustness
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
Contributor
|
🎉 This PR is included in version 3.70.4 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Fixes empty auto-remediation plans and no-op Retries across AWS, GCP, and Azure, and adds support for AWS Config’s newer recording model to prevent false positives and failed fixes. Improves plan generation, caching, and UI so users get valid plans or guided steps and can successfully retry.
recordingStrategy.useOnly === 'ALL_SUPPORTED_RESOURCE_TYPES'as “records all”; keep EXCLUSION/INCLUSION recorders flagged. Remediation guidance and executor normalizePutConfigurationRecorderto{ allSupported: true, includeGlobalResourceTypes: true }without conflicting fields.canAutoFix=truebut zero fix steps; prefer a non-auto-fixable retry to route to guided steps.Written for commit 512d819. Summary will update on new commits.