Merge branch 'nt/more-readonly' into nt-ac/workflow

.env

@@ -12,7 +12,7 @@ CQ_POSTGRES_DESTINATION=7.2.0
 CQ_POSTGRES_SOURCE=3.0.7
 
 # See https://hub.cloudquery.io/plugins/source/cloudquery/aws/versions
-CQ_AWS=23.6.1
+CQ_AWS=26.0.0
 
 # See https://hub.cloudquery.io/plugins/source/cloudquery/github/versions
 CQ_GITHUB=8.1.3
@@ -21,7 +21,7 @@ CQ_GITHUB=8.1.3
 CQ_FASTLY=3.0.7
 
 # See https://github.com/guardian/cq-source-galaxies
-CQ_GUARDIAN_GALAXIES=1.1.1
+CQ_GUARDIAN_GALAXIES=1.1.3
 
 # See https://hub.cloudquery.io/plugins/source/cloudquery/snyk/versions
 CQ_SNYK=5.3.0

.github/workflows/singleton.yml

@@ -32,4 +32,4 @@ jobs:
       IMAGE_NAME: singleton
     permissions:
       contents: read
-      packages: write
+      packages: write

containers/singleton/Dockerfile

@@ -1,3 +1,3 @@
-FROM amazonlinux:latest
+FROM amazonlinux:2.0.20240412.0
 
 RUN yum install -y -q aws-cli jq

packages/cdk/lib/__snapshots__/service-catalogue.test.ts.snap

@@ -121,7 +121,7 @@ exports[`The ServiceCatalogue stack matches the snapshot 1`] = `
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_costexplorer_*
   destinations:
@@ -798,7 +798,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_accessanalyzer_*
     - aws_securityhub_*
@@ -1461,7 +1461,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_organization*
   destinations:
@@ -2746,7 +2746,7 @@ spec:
   name: galaxies
   path: guardian/galaxies
   registry: github
-  version: v1.1.1
+  version: v1.1.3
   destinations:
     - postgresql
   tables:
@@ -6833,7 +6833,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_autoscaling_groups
   destinations:
@@ -7480,7 +7480,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_backup_protected_resources
     - aws_backup_vaults
@@ -8129,7 +8129,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_acm*
   destinations:
@@ -8806,7 +8806,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_cloudformation_*
   destinations:
@@ -9657,7 +9657,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_cloudwatch_alarms
   destinations:
@@ -10070,7 +10070,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_dynamodb*
   destinations:
@@ -10717,7 +10717,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_ec2_instances
     - aws_ec2_security_groups
@@ -11397,7 +11397,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_inspector_findings
     - aws_inspector2_findings
@@ -12279,7 +12279,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_elbv1_*
     - aws_elbv2_*
@@ -12927,7 +12927,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_rds_instances
     - aws_rds_clusters
@@ -13343,7 +13343,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_s3*
   destinations:
@@ -13990,7 +13990,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_*
   skip_tables:

packages/cdk/lib/cloudquery/config.test.ts

@@ -35,7 +35,7 @@ describe('Config generation, and converting to YAML', () => {
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_s3_buckets
   destinations:
@@ -69,7 +69,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - '*'
   skip_tables:
@@ -108,7 +108,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_accessanalyzer_analyzers
     - aws_accessanalyzer_analyzer_archive_rules
@@ -152,7 +152,7 @@ spec:
 spec:
   name: aws
   path: cloudquery/aws
-  version: v23.6.1
+  version: v26.0.0
   tables:
     - aws_securityhub_findings
   destinations:

packages/cli/package.json

@@ -6,9 +6,9 @@
   },
   "type": "module",
   "devDependencies": {
-    "@aws-sdk/client-ecs": "^3.554.0",
-    "@aws-sdk/client-secrets-manager": "^3.554.0",
-    "@aws-sdk/client-ssm": "^3.554.0",
+    "@aws-sdk/client-ecs": "^3.556.0",
+    "@aws-sdk/client-secrets-manager": "^3.556.0",
+    "@aws-sdk/client-ssm": "^3.556.0",
     "@types/yargs": "^17.0.32",
     "execa": "^8.0.1",
     "terminal-link": "^3.0.0",

packages/common/package.json

@@ -7,10 +7,10 @@
 		"test": "jest --detectOpenHandles --config ../../jest.config.js --selectProjects common"
 	},
 	"dependencies": {
-		"@aws-sdk/client-secrets-manager": "^3.554.0",
+		"@aws-sdk/client-secrets-manager": "^3.556.0",
 		"@guardian/anghammarad": "^1.8.2",
-		"@aws-sdk/credential-providers": "^3.554.0",
-		"@aws-sdk/rds-signer": "^3.554.0",
+		"@aws-sdk/credential-providers": "^3.556.0",
+		"@aws-sdk/rds-signer": "^3.556.0",
 		"@octokit/auth-app": "^6.0.4",
 		"octokit": "^3.1.2",
 		"octokit-plugin-create-pull-request": "^5.1.1",

packages/data-audit/package.json

@@ -9,9 +9,9 @@
     "build": "esbuild src/index.ts --bundle --platform=node --target=node20 --outdir=dist --external:@aws-sdk --external:@prisma/client --external:prisma"
   },
   "dependencies": {
-    "@aws-sdk/client-lambda": "^3.554.0",
-    "@aws-sdk/client-organizations": "^3.554.0",
-    "@aws-sdk/client-s3": "^3.554.0",
-    "@aws-sdk/client-sts": "^3.554.0"
+    "@aws-sdk/client-lambda": "^3.556.0",
+    "@aws-sdk/client-organizations": "^3.556.0",
+    "@aws-sdk/client-s3": "^3.556.0",
+    "@aws-sdk/client-sts": "^3.556.0"
   }
 }

packages/dependency-graph-integrator/package.json

@@ -10,7 +10,7 @@
 		"test": "jest --detectOpenHandles --config ../../jest.config.js --selectProjects dependency-graph-integrator"
 	},
 	"dependencies": {
-		"@aws-sdk/client-sns": "^3.554.0",
+		"@aws-sdk/client-sns": "^3.556.0",
 		"ts-markdown": "^1.0.0",
 		"yaml": "^2.4.1"
 	}

packages/interactive-monitor/package.json

@@ -10,7 +10,7 @@
 	},
 	"author": "guardian",
 	"dependencies": {
-		"@aws-sdk/client-s3": "^3.554.0",
+		"@aws-sdk/client-s3": "^3.556.0",
 		"@types/aws-lambda": "^8.10.137",
 		"octokit": "^3.1.1"
 	},

packages/repocop/package.json

@@ -11,8 +11,8 @@
 		"test": "jest --detectOpenHandles --config ../../jest.config.js --selectProjects repocop"
 	},
 	"dependencies": {
-		"@aws-sdk/client-cloudwatch": "^3.554.0",
-		"@aws-sdk/client-sns": "^3.554.0",
+		"@aws-sdk/client-cloudwatch": "^3.556.0",
+		"@aws-sdk/client-sns": "^3.556.0",
 		"octokit-plugin-create-pull-request": "^5.1.1",
 		"ts-markdown": "^1.0.0",
 		"yaml": "^2.4.1"

packages/repocop/src/remediation/vuln-digest/vuln-digest.test.ts

@@ -104,6 +104,7 @@ describe('createDigest', () => {
 			subject: `Vulnerability Digest for ${teamName}`,
 			message: String.raw`Found 1 vulnerabilities across 1 repositories.
 Displaying the top 1 most urgent.
+Obligations to resolve: Critical - 1 day; High - 2 weeks.
 Note: DevX only aggregates vulnerability information for repositories with a production topic.
 
 [guardian/repo](https://github.com/guardian/repo) contains a [HIGH vulnerability](example.com).
@@ -114,10 +115,6 @@ This vulnerability is patchable.`,
 					cta: `View vulnerability dashboard for ${teamName} on Grafana`,
 					url: `https://metrics.gutools.co.uk/d/fdib3p8l85jwgd?var-repo_owner=${teamSlug}`,
 				},
-				{
-					cta: "See 'Prioritise the vulnerabilities' in these docs for obligations",
-					url: 'https://security-hq.gutools.co.uk/documentation/vulnerability-management',
-				},
 			],
 		});
 	});

packages/repocop/src/remediation/vuln-digest/vuln-digest.ts

@@ -1,4 +1,3 @@
-import type { Action } from '@guardian/anghammarad';
 import { Anghammarad, RequestedChannel } from '@guardian/anghammarad';
 import type { view_repo_ownership } from '@prisma/client';
 import type { Config } from '../../config';
@@ -70,20 +69,15 @@ export function createDigest(
 	const listedVulnsCount = topVulns.length;
 	const preamble = String.raw`Found ${totalVulnsCount} vulnerabilities across ${resultsForTeam.length} repositories.
 Displaying the top ${listedVulnsCount} most urgent.
+Obligations to resolve: Critical - 1 day; High - 2 weeks.
 Note: DevX only aggregates vulnerability information for repositories with a production topic.`;
 
 	const digestString = topVulns
 		.map((v) => createHumanReadableVulnMessage(v))
 		.join('\n\n');
 
 	const message = `${preamble}\n\n${digestString}`;
-
-	const actionObligations: Action = {
-		cta: "See 'Prioritise the vulnerabilities' in these docs for obligations",
-		url: 'https://security-hq.gutools.co.uk/documentation/vulnerability-management',
-	};
-
-	const actions = [createTeamDashboardLinkAction(team), actionObligations];
+	const actions = [createTeamDashboardLinkAction(team)];
 
 	return {
 		teamSlug: team.slug,

packages/snyk-integrator/package.json

@@ -10,7 +10,7 @@
 		"test": "jest --detectOpenHandles --config ../../jest.config.js --selectProjects snyk-integrator"
 	},
 	"dependencies": {
-		"@aws-sdk/client-sns": "^3.554.0",
+		"@aws-sdk/client-sns": "^3.556.0",
 		"ts-markdown": "^1.0.0",
 		"yaml": "^2.4.1"
 	}