Conversation
…iming missing permissions A customer's aws-s3-public-access check reported per-bucket 'Could not verify public access' with a remediation asserting a missing s3:GetBucketPublicAccessBlock grant — but their CloudTrail showed our role's calls succeeding. The per-bucket catch swallowed the real error (likely transient), and the finding fabricated a permissions claim it never verified, sending the customer on an IAM audit. - classify read failures (toReadFailure): 403/AccessDenied vs transient - store the real error in finding evidence (readError) and ctx.log it - only show the 'Grant s3:...' remediation for actual auth failures; transient failures now say to re-run with the error visible - maxAttempts: 5 on the S3/S3Control clients to ride out transient failures during the scheduled-run herd Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… region Prod data pinned the customer's 6am failures: the 4 unverified buckets were exactly the ones outside the connection's configured region (us-east-1 buckets, us-east-2 connection), failing fast and invisible in CloudTrail — the signature of S3's 301 redirect-follow failing (the x-amz-bucket-region header on 301 responses is not guaranteed). The same buckets passed on later re-runs when the redirect worked. Instead of depending on the redirect: ListBuckets with MaxBuckets (the paginated form populates BucketRegion) and route each bucket's reads to a lazily-created client for that region. Legacy unpaginated fallback for partitions that reject MaxBuckets. Also splits the S3 data-plane into s3-buckets.ts to stay under the 300-line file cap. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…nstead of linking all Adding an existing control to a framework linked it to EVERY requirement in the framework (e.g. all 149 in NIST SP 800-53), because a control's framework membership is expressed only through requirement links and linkControl blindly connected every one. Reported as "149 requirements have been linked!". - linkControl(frameworkId, controlId, requirementIds?) now links only the given requirements (validated to belong to the framework). Omitting requirementIds keeps the legacy link-all behavior the CLI documents and relies on, so that path is unchanged. - "Add Existing Control" gains a second step: after choosing a control, pick which of the framework's requirements to link it to (>=1). Requirements are listed oldest-first so a just-created one sits at the bottom, as reported. - Extracted the dialog's pure helpers into add-existing-item-helpers.ts to keep the file under the 300-line cap and make them unit-testable. - Tests: framework.service linkControl (selective / legacy / invalid id / no-requirements), helper unit tests, and ControlRequirementSelect interaction. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…rash @IsOptional() lets a JSON `{"requirementIds": null}` past validation, and the === undefined guard missed null, so .filter() would throw. Guard null too (link-all legacy path) and widen the param type. Caught by cubic review. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ive-control-linking fix(framework-editor): "Add Existing Control" links selected requirements, not all
… ListBuckets is rejected Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…:trycompai/comp into tofik/aws-s3-check-read-error-visibility
…-visibility fix(integration-platform): surface real S3 read errors instead of claiming missing permissions
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
Contributor
|
🎉 This PR is included in version 3.74.5 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Let users pick specific requirements when linking an existing control, and make AWS S3 checks more reliable by routing per-bucket reads to the bucket’s region and surfacing real read errors with accurate remediation.
New Features
POST /framework/:id/link-control/:controlIdnow accepts optionalrequirementIds; omit ornullto link all (legacy/CLI).Bug Fixes
BucketRegion, with legacy fallback).readErrorand only suggest permission grants on actual AccessDenied; transient errors ask to re-run.maxAttempts: 5) and logging; extracted bucket read logic intos3-buckets.ts.Written for commit 90b3b7f. Summary will update on new commits.