Good afternoon, Marco Friday · 9 May

monorepo-prod · Last sync 12s ago
Amy· 2 min ago
Brief for Friday, 9 May · monorepo-prod

Today across monorepo-prod I completed 23 Scanner Runs. Three things need review; the pentest finding is first.

PR #142 changed the user search path, so I ran run_de8231 and a targeted pentest replay against staging. The query builder accepted raw input and returned rows outside the tenant scope. I prepared the SQL injection patch and regression test, but left merge approval to you.

Cloud side: run_1a4c92 found S3 drift. Terraform expects the customer data bucket to be private, but AWS is set to public-read. I attached the CloudTrail actor and prepared the drift correction PR.

That's it. See what I did →

23 Scanner Runs 47 Suppressed 3 Need review 1 Patch prepared
Autonomy 97.7% · Overrides 4%
Three things need your review· Queue
Median triage 3.4m · Manage gates →
High

Approve patch from targeted pentest: SQL injection

api/users.ts:88 · pentest replay · PR #142 · run_de8231 · 14 min ago
I replayed the new search path against staging. Payload ' OR 1=1 -- returned rows outside the tenant scope. The patch switches the query builder to parameterized filters and adds a regression test.
Pentest proof GET /api/users?q=' OR 1=1 -- → 200 / 184 rows Patch ready
Score 0.96
High

Restore S3 bucket from public-read drift

terraform/storage.tf:42 · checkov · aws-prod · run_1a4c92 · 5 min ago
Terraform expects private but AWS reports public-read on the customer data bucket. CloudTrail shows a manual console change; I prepared the drift correction PR and attached the audit trail.
CloudTrail PutBucketAcl · arn:aws:iam::4817***:user/j-martinez 5 days undetected
Score 0.91
Question

Should I block merges when targeted pentests prove exploitability?

Raised by Amy · Scope: code scanning · Just now
For monorepo-prod I can hold PRs when a targeted pentest reproduces a high or critical code finding. I would post the proof, prepare the patch, and route the approval to the code owner.
Recommendation 0.86
What I did· Log
· 14 entries
11:46 Prepared SQL injection patch: parameterized query builder + regression test. Needs approval Patch →
11:43 Surfaced 7 of 45 code findings on PR #142. pentest proven Proof →
11:42 Started targeted pentest replay on PR #142 · feat/payments → main. trigger: pull_request Run →
11:40 Detected changes to api/users.ts and escalated to a targeted pentest. Why →
09:15 Ran scheduled Scanner Run on main. Clean. Suppressed 14 fixture matches. Show suppressions →
09:14 Re-ran dependency Scanner Run after lodash bump. Resolved CVE-2021-23337 Diff →
08:00 Surfaced cloud drift on aws-prod / terraform. Customer data bucket ACL is public-read; CloudTrail actor attached. Audit →
07:32 Posted a question for you: Block merges when targeted pentests pass? Answer →
Yesterday
23:00 Ran scheduled Scanner Run on main. Clean. Suppressed 14 fixtures. Show →
14:02 Surfaced CVE-2021-23337 in lodash. Flagged for You · Resolved 03:14 Story →
11:18 Ran code Scanner Run on PR #136 · chore/deps. Clean. 22 findings, all suppressed (vendored libs). Show →
08:00 Ran scheduled cloud Scanner Run on aws-staging. Clean. Show →
Earlier this week
Wed Surfaced slack-webhook hardcoding on PR #138 · Still in queue Story →
Tue Updated my fixture-detection rule (false-positive rate dropped −18%). Change →
14 of 49 entries · Today + 2 days View full log →