US51939: Added malware scan workflow #67
Conversation
| if: always() | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| with: | ||
| role-to-assume: arn:aws:iam::522637239241:role/s3-avscan-upload |
There was a problem hiding this comment.
are these HPE AWS roles ? if yes, are we fine to put them in public repos.
There was a problem hiding this comment.
yes its HPE's AWS roles, I asked the same to the security guy who suggested. But not reply back. So, if they come back saying we shouldn't then we can keep in secrets. Or what do you suggest?
There was a problem hiding this comment.
These repos are open to public and can be accessed by anyone. I do not recommend to expose any users to public repos. We are ideally exposing our AWS Account ID and then the roles. @reubenur-rahman do you have any suggestions here ?
There was a problem hiding this comment.
from Security team : This should be ok because our OIDC role and policy only allows to post the results to the bucket and even though public, a peer reviewed pull request would still be required; being public is all the mor reason to run the scan; I have approved the PR.
No description provided.