{"id":31770017,"url":"https://github.com/jfrog/xray-aws-security-hub","last_synced_at":"2026-05-17T00:07:51.255Z","repository":{"id":45071897,"uuid":"511290613","full_name":"jfrog/xray-aws-security-hub","owner":"jfrog","description":"JFrog Xray's integration brings Xray’s security and license violations intel inside AWS Security Hub.","archived":false,"fork":false,"pushed_at":"2024-09-20T19:42:52.000Z","size":763,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-10-30T23:12:32.795Z","etag":null,"topics":["aws","aws-sam","aws-sam-cli","aws-security-hub","javascript","jfrog","jfrog-xray","lambda-functions"],"latest_commit_sha":null,"homepage":"https://jfrog.com/help/r/jfrog-integrations-documentation/xray-integration-with-aws-security-hub","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jfrog.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-07-06T21:01:18.000Z","updated_at":"2024-09-20T18:25:33.000Z","dependencies_parsed_at":"2023-02-08T08:15:34.574Z","dependency_job_id":"153c53b0-4c8e-4044-8f7e-579e62b893fc","html_url":"https://github.com/jfrog/xray-aws-security-hub","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/jfrog/xray-aws-security-hub","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fxray-aws-security-hub","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fxray-aws-security-hub/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fxray-aws-security-hub/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fxray-aws-security-hub/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jfrog","download_url":"https://codeload.github.com/jfrog/xray-aws-security-hub/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jfrog%2Fxray-aws-security-hub/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002512,"owners_count":26083403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-sam","aws-sam-cli","aws-security-hub","javascript","jfrog","jfrog-xray","lambda-functions"],"created_at":"2025-10-10T02:56:21.125Z","updated_at":"2025-10-10T02:56:25.744Z","avatar_url":"https://github.com/jfrog.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Xray AWS Security Hub Integration\n\nThis project contains source code and supporting files for a serverless application that you can deploy with the SAM CLI. It includes the following files and folders.\n\n- authorizer - Code for the application's Lambda function for API Gateway authorizer.\n- eventProcessor - Code for the application's Lambda function for processing Xray webhook event.\n- issueProcessor - Code for the application's Lambda function for processing Xray webhook issues in each event.\n- transformer - Code for the application's Lambda function for transforming Xray webhook issue into ASFF finding and import them into Security Hub.\n- events - Invocation events that you can use to invoke the functions.\n- envs - Environment variable files for testing the functions.\n- template.yaml - A template that defines the application's AWS resources.\n\nThe application uses several AWS resources, including Lambda functions and an API Gateway API. These resources are defined in the `template.yaml` file in this project. You can update the template to add AWS resources through the same deployment process that updates your application code.\n\nIf you prefer to use an integrated development environment (IDE) to build and test your application, you can use the AWS Toolkit.  \nThe AWS Toolkit is an open source plug-in for popular IDEs that uses the SAM CLI to build and deploy serverless applications on AWS. The AWS Toolkit also adds a simplified step-through debugging experience for Lambda function code. See the following links to get started.\n\n* [CLion](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [GoLand](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [IntelliJ](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [WebStorm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [Rider](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [PhpStorm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [PyCharm](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [RubyMine](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [DataGrip](https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/welcome.html)\n* [VS Code](https://docs.aws.amazon.com/toolkit-for-vscode/latest/userguide/welcome.html)\n* [Visual Studio](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/welcome.html)\n\n## Deploy the application\n\nThe Serverless Application Model Command Line Interface (SAM CLI) is an extension of the AWS CLI that adds functionality for building and testing Lambda applications. It uses Docker to run your functions in an Amazon Linux environment that matches Lambda. It can also emulate your application's build environment and API.\n\nTo use the SAM CLI, you need the following tools.\n\n* SAM CLI - [Install the SAM CLI](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html)\n* Node.js - [Install Node.js 16](https://nodejs.org/en/), including the NPM package management tool.\n* Docker - [Install Docker community edition](https://hub.docker.com/search/?type=edition\u0026offering=community)\n\nTo build and deploy your application for the first time, run the following in your shell:\n\n```sh\nsam build\nsam deploy --guided\n```\n\nThe first command will build the source of your application. The second command will package and deploy your application to AWS, with a series of prompts:\n\n* **Stack Name**: The name of the stack to deploy to CloudFormation. This should be unique to your account and region, and a good starting point would be something matching your project name.\n* **AWS Region**: The AWS region you want to deploy your app to.\n* **Confirm changes before deploy**: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.\n* **Allow SAM CLI IAM role creation**: Many AWS SAM templates, including this example, create AWS IAM roles required for the AWS Lambda function(s) included to access AWS services. By default, these are scoped down to minimum required permissions. To deploy an AWS CloudFormation stack which creates or modifies IAM roles, the `CAPABILITY_IAM` value for `capabilities` must be provided. If permission isn't provided through this prompt, to deploy this example you must explicitly pass `--capabilities CAPABILITY_IAM` to the `sam deploy` command.\n* **Save arguments to samconfig.toml**: If set to yes, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run `sam deploy` without parameters to deploy changes to your application.\n\n**Beware** that when `DeploymentEnvironment` parameter is set to `dev`, full HTTP requests/responses data are sent to CloudWatch Logs. This include the API authorization token (if set). You can manually switch this off with API Gateway Stage's 'Log full requests/responses data' setting.\n\nYou can find your API Gateway Endpoint URL in the output values displayed after deployment.\n\n### Deploy into VPC\n\nIf the application is required to be deployed in private VPC, it should be created and managed separately. There are several ways of doing that - \nin the console, using separate CFT or adding VPC resource to the SAM template directly. Check the following examples for the reference: \n- [JFrog CFT VPC template example](https://github.com/aws-quickstart/quickstart-jfrog-artifactory/blob/main/templates/jfrog-ami-vpc.template.yaml). \n- [AWS CFT VPC examples](https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/services/VPC).\n\nWhen VPC and VPC endpoint are created, please add following configuration to `AWS::Serverless::Api` resource:\n\n```yaml\nEndpointConfiguration:\n  Type: PRIVATE\n  VPCEndpointIds:\n    - vpce-123a123a\n    - vpce-321a321a\n```\n\n[AWS documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-endpointconfiguration.html) for endpoint configuration.\n\n### Uninstall the application with SAM CLI\n\nRun `sam delete` to delete the application. \n\n**Note:** S3 bucket and DynamoDB, created by the application, won't be deleted automatically and require to be removed manually.\n\n## Package and Publish the application\n\nCreate a new S3 bucket (`jfrog-xray-aws-security-hub`) to store the SAM build artifact:\n\n```sh\naws cloudformation create-stack --stack-name xray-aws-security-hub-bucket --template-body file://cfts/serverless-application-repository-s3.yml --region us-west-1\n```\n\nYou can use `--parameters` option to override the S3 bucket name:\n\n```sh\naws cloudformation create-stack --stack-name xray-aws-security-hub-bucket --template-body file://cfts/serverless-application-repository-s3.yml --region us-west-1 --parameters ParameterKey=S3BucketName,ParameterValue=some-other-bucket-name\n```\n\nUpdate Serverless Repository application version in `Metadata::AWS::ServerlessRepo::Application::SemanticVersion` and `Globals::Function::Environment::Variables::APP_VERSION` in `template.yaml`\n\nUse the SAM CLI to first build and package this application then [publish it to Serverless Application Repository](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-template-publishing-applications.html#serverless-sam-template-publishing-applications-prerequisites)\n\n\u003e [!IMPORTANT]\n\u003e Make sure you are using the JFrog Seller account (595206835686) credential for publishing the application.\n\n```sh\nsam build\nsam package --output-template-file packaged.yaml --s3-bucket jfrog-xray-aws-security-hub-1 --region us-west-1\nsam publish --template packaged.yaml --region us-west-1\n```\n\n## Use the SAM CLI to build and test locally\n\nBuild your application with the `sam build` command.\n\n```sh\nsam build\n```\n\nThe SAM CLI installs dependencies defined in each Lambda's `package.json`, creates a deployment package, and saves it in the `.aws-sam/build` folder.\n\nTest a single function by invoking it directly with a test event. An event is a JSON document that represents the input that the function receives from the event source. Test events are included in the `events` folder in this project.\n\nRun functions locally and invoke them with the `sam local invoke` command. e.g.\n\n```sh\nsam local invoke EventProcessorFunction --event events/eventProcessor/xray_license_issues_payload_string.json -n envs/test.json --region us-west-2\n```\n\nThe region must match the region for the SQS queue (defined in env var json file).\n\nFor security reason, only a sample env var file (`envs/sample.json`) is provided in this repo. Make your own copy from it and fill in appropriate values for your test environment.\n\nThe SAM CLI can also emulate your application's API. Use the `sam local start-api` to run the API locally on port 3000.\n\n```sh\nsam local start-api\ncurl http://localhost:3000/\n```\n\nThe SAM CLI reads the application template to determine the API's routes and the functions that they invoke. The `Events` property on each function's definition includes the route and method for each path.\n\n```yaml\nEventProcessorFunction:\n  Properties:\n    Events:\n      ProcessCallPayload:\n        Type: Api\n        Properties:\n          Path: /send\n          Method: post\n```\n\n## Fetch, tail, and filter Lambda function logs\n\nTo simplify troubleshooting, SAM CLI has a command called `sam logs`. `sam logs` lets you fetch logs generated by your deployed Lambda function from the command line. In addition to printing the logs on the terminal, this command has several nifty features to help you quickly find the bug.\n\n`NOTE`: This command works for all AWS Lambda functions; not just the ones you deploy using SAM.\n\n```sh\nsam logs -n EventProcessorFunction --stack-name xray-aws-security-hub --tail\n```\n\nYou can find more information and examples about filtering Lambda function logs in the [SAM CLI Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-logging.html).\n\n## Cleanup\n\nTo delete the sample application that you created, use the AWS CLI. Assuming you used your project name for the stack name, you can run the following:\n\n```sh\naws cloudformation delete-stack --stack-name xray-aws-security-hub\n```\n\n## Resources\n\nSee the [AWS SAM developer guide](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html) for an introduction to SAM specification, the SAM CLI, and serverless application concepts.\n\nNext, you can use AWS Serverless Application Repository to deploy ready to use Apps that go beyond hello world samples and learn how authors developed their applications: [AWS Serverless Application Repository main page](https://aws.amazon.com/serverless/serverlessrepo/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fxray-aws-security-hub","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjfrog%2Fxray-aws-security-hub","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjfrog%2Fxray-aws-security-hub/lists"}