diff --git a/.github/workflows/update-rules.yaml b/.github/workflows/update-rules.yaml index fe8817b..4cec972 100644 --- a/.github/workflows/update-rules.yaml +++ b/.github/workflows/update-rules.yaml @@ -60,11 +60,13 @@ jobs: - name: Create Pull Request uses: peter-evans/create-pull-request@v6 - if: ${{ steps.changed-files.outputs.any_changed == 'true' }} with: token: ${{ secrets.GITHUB_TOKEN }} base: main branch: auto-update-aws-config-rules + add-paths: | + managed_rules_locals.tf + managed_rules_variables.tf commit-message: Automatic updates to AWS managed Config Rules delete-branch: true title: '[Auto] Update AWS Config Rules' diff --git a/scripts/index.py b/scripts/index.py index dd020b1..e2e05fa 100644 --- a/scripts/index.py +++ b/scripts/index.py @@ -53,7 +53,7 @@ rule = AwsConfigRule(data=rule_data) for control in controls: if rule.name == control['rule']: - logging.info(f"Updating rule '{rule.name}' severity to Security Hub recommended level '{control['severity']}'") + logging.info(f"Updating {rule.name} severity -> {control['severity']}") rule.set_severity_level(control['severity']) break rules.append(rule) diff --git a/scripts/lib/aws_docs_reader.py b/scripts/lib/aws_docs_reader.py index 663ac12..a56f1fa 100644 --- a/scripts/lib/aws_docs_reader.py +++ b/scripts/lib/aws_docs_reader.py @@ -290,7 +290,7 @@ def parse_security_hub_docs(controls_userguide_root: str, controls_ref_page: str logging.info(f"Parsing ({counter}/{controls_length})") security_hub_control = SecurityHubControl(soup=control) if security_hub_control.no_rule_configured: - logging.error(f"Control {control.string} has no AWS Config Rule configured. Skipping") + logging.warning(f"Control {control.string} has no AWS Config Rule configured. Skipping") counter += 1 continue if not security_hub_control.severity or not security_hub_control.rule: