Deploy a ChatOps solution to manage SAST scan results by using AWS Chatbot custom actions and AWS CloudFormation

Created by Anand Bukkapatnam Tirumala (AWS)

Summary

This pattern presents a comprehensive solution that uses AWS Chatbot to streamline the management of static application security testing (SAST) scan failures reported through SonarQube. This innovative approach integrates custom actions and notifications into a conversational interface, enabling efficient collaboration and decision-making processes within development teams.

In today's fast-paced software development environment, managing SAST scan results efficiently is crucial for maintaining code quality and security. However, many organizations face the following significant challenges:

• Delayed awareness of critical vulnerabilities because of inefficient notification systems

• Slow decision-making processes caused by disconnected approval workflows

• Lack of immediate, actionable responses to SAST scan failures

• Fragmented communication and collaboration around security findings

• Time-consuming and error-prone manual infrastructure setup for security tooling

These issues often lead to increased security risks, delayed releases, and reduced team productivity. To address these challenges effectively requires a solution that can streamline SAST result management, enhance team collaboration, and automate infrastructure provisioning.

Key features of the solution include:

• Customized notifications – Real-time alerts and notifications are delivered directly to team chat channels, ensuring prompt awareness and action on SAST scan vulnerabilities or failures.

• Conversational approvals – Stakeholders can initiate and complete approval workflows for SAST scan results seamlessly within the chat interface, accelerating decision-making processes.

• Custom actions – Teams can define and execute custom actions based on SAST scan outcomes, such as automatically triggering email messages for quality gate failures, enhancing responsiveness to security issues.

• Centralized collaboration – All SAST scan-related discussions, decisions, and actions are kept within a unified chat environment, fostering improved collaboration and knowledge-sharing among team members.

• Infrastructure as code (IaC) – The entire solution is wrapped with AWS CloudFormation templates, enabling faster and more reliable infrastructure provisioning while reducing manual setup errors.

Prerequisites and limitations

Prerequisites

• An active AWS account.

• An AWS Identity and Access Management (IAM) role with permissions to create and manage resources associated with the AWS services listed in Tools.

• A Slack workspace.

• AWS Chatbot added to the required Slack workspace as a plugin. For more information, see Add apps to your Slack workspace in the Slack documentation. Keep a note of the Slack workspace ID as shown on the AWS Management Console after successful registration.

• A configured AWS Chatbot client, with the workspace ID readily available for input in the AWS CloudFormation console. For instructions, see Configure a Slack client in the AWS Chatbot Administrator Guide.

• A source email account that is created and verified in Amazon Simple Email Service (Amazon SES) to send out approval email messages. For setup instructions, see Creating and verifying email identities in the Amazon Simple Email Service Developer Guide.

• A destination email address for receiving approval notifications. This address can be a shared inbox or a specific team distribution list.

• An operational SonarQube instance that’s accessible from your AWS account. For more information, see the SonarQube installation instructions.

• A SonarQube user token with permissions to trigger and create projects through the pipeline.

Limitations

• Custom actions for AWS Chatbot are currently not supported through AWS CloudFormation. The creation of custom action buttons is a manual process in this solution.

• Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region. For specific endpoints, see Service endpoints and quotas, and choose the link for the service.

Architecture

The following diagram shows the workflow and architecture components for this pattern.

The diagram shows the automated code quality assurance workflow:

1. Code preparation and upload:

   • The developer compresses the codebase into a .zip file.

   • The developer manually uploads the .zip file to a designated Amazon Simple Storage Service (Amazon S3) bucket.

2. Amazon S3 event trigger and AWS Step Functions orchestration:

   • The Amazon S3 upload event triggers a Step Functions workflow.

   • Step Functions orchestrates a SAST scan using SonarQube.

   • The workflow monitors the AWS CodeBuild job status to determine next actions. If CodeBuild succeeds (quality gate pass), the workflow terminates. If CodeBuild fails, an AWS Lambda function is invoked for diagnostics. For more details, see AWS Step Functions logic later in this section.

3. AWS CodeBuild execution:

   • The CodeBuild job executes a SonarQube scan on the uploaded codebase.

   • Scan artifacts are stored in a separate Amazon S3 bucket for auditing and analysis.

4. Failure analysis (Lambda function):

   • On CodeBuild failure, the CheckBuildStatus Lambda function is triggered.

   • On CodeBuild success, the process is terminated and no further action is needed.

5. Lambda function analyzes failure cause (quality gate failure or other issues)

   • The CheckBuildStatus function creates a custom payload with detailed failure information.

   • The CheckBuildStatus function publishes the custom payload to an Amazon Simple Notification Service (Amazon SNS) topic.

6. Notification system:

   • Amazon SNS forwards the payload to AWS Chatbot for Slack integration.

7. Slack integration:

   • AWS Chatbot posts a notification in the designated Slack channel.

8. Approval process:

   • Approvers review the failure details in the Slack notification.

   • Approvers can initiate approval using the Approve button in Slack.

9. Approval handler:

   • An Approval Lambda function processes the approval action from Slack.

   • The Approval function generates a custom message for developer notification.

   • The Approval function publishes the custom message to Amazon SES.

10. Developer notification:

    • Amazon SES sends an email message to the developer with next steps or required actions.

This workflow combines manual code upload with automated quality checks, provides immediate feedback through Slack, and allows for human intervention when necessary, ensuring a robust and flexible code review process.

AWS Step Functions logic

As shown in the previous architecture diagram, if the quality gate pass on SonarQube fails, the workflow goes to the CheckBuildStatus Lambda function. The CheckBuildStatus function triggers a notification on the Slack channel. Each notification includes information with suggested next steps. Following are the types of notifications:

• Application has failed in code security scan – The user receives this notification when the uploaded code did not pass the SonarQube security scan. The user can choose APPROVE to accept the build. However, the notification advises the user to beware of potential poor code quality and security risks. The notification includes the following details:

  • Next steps: Error: Quality gate status: FAILED – View details at the provided URL.

  • Triage the vulnerabilities as mentioned in the document at the provided URL.

  • CodeBuild details are available at the location at the provided URL.

• Application scan pipeline has failed because of some other reason – The user receives this notification when the pipeline failed for some reason other than failing the code security scan. The notification includes the following details:

  • For next steps, go to the link provided for further troubleshooting.

To see screenshots of the notifications as they appear in a Slack channel, go to the assets folder in the GitHub chatops-slack repository.

The following diagram shows an example of Step Functions step status after the quality gate pass fails.

Tools

AWS services

• AWS Chatbot enables you to use Amazon Chime, Microsoft Teams, and Slack chat channels to monitor and respond to operational events in your AWS applications.

• AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and AWS Regions.

• AWS CodeBuild is a fully managed build service that helps you compile source code, run unit tests, and produce artifacts that are ready to deploy.

• AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.

• AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data.

• AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.

• AWS Secrets Manager helps you replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.

• Amazon Simple Email Service (Amazon SES) helps you send and receive email messages by using your own email addresses and domains.

• Amazon Simple Notification Service (Amazon SNS) helps you coordinate and manage the exchange of messages between publishers and clients, including web servers and email addresses.

• Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

• AWS Step Functions is a serverless orchestration service that helps you combine AWS Lambda functions and other AWS services to build business-critical applications.

Other tools

• Slack, a Salesforce offering, is an AI-powered conversational platform that provides chat and video collaboration, automates processes with no code, and supports information sharing.

• SonarQube is an on-premises analysis tool designed to detect coding issues in over 30 languages, frameworks, and IaC platforms.

Code repository

The code for this pattern is available in the GitHub chatops-slack repository.

Best practices

• CloudFormation stack management – If you encounter any failures during CloudFormation stack execution, we recommend that you delete the failed stack. Then, re-create it with the correct parameter values. This approach supports a clean deployment and helps avoid potential conflicts or partial implementations.

• Shared inbox email configuration – When you configure the SharedInboxEmail parameter, use a common distribution list that’s accessible to all relevant developers. This approach promotes transparency and helps important notifications reach the relevant team members.

• Production approval workflow – For production environments, restrict access to the Slack channel that’s used for build approvals. Only designated approvers should be members of this channel. This practice maintains a clear chain of responsibility and enhances security by limiting who can approve critical changes.

• IAM permissions – Follow the principle of least privilege and grant the minimum permissions required to perform a task. For more information, see Grant least privilege and Security best practices in the IAM documentation.

Epics

Perform initial setup

Task	Description	Skills required
Clone the repository.	To clone the chatops-slack repository for this pattern, use the following command. git clone “git@github.com:aws-samples/chatops-slack.git“	AWS DevOps, Build lead, DevOps engineer, Cloud administrator
Create the .zip files that contain Lambda code.	Create the .zip files for the AWS Lambda function code for the CheckBuildStatus and ApprovalEmail functionality. To create notification.zip and approval.zip, use the following commands. cd chatops-slack/src chmod -R 775 * zip -r approval.zip approval zip -r notification.zip notification	AWS DevOps, Build lead, DevOps engineer, Cloud administrator

Deploy the pre-requisite stack file

Task	Description	Skills required
Execute the pre-requisite.yml stack file.	The pre-requisite.yml CloudFormation stack file deploys the initial resources that are required before you execute the app-security.yml stack file. To execute the pre-requisite.yml file, do the following: Sign in to the AWS Management Console, and open the AWS CloudFormation console. Choose Create stack, and then choose With new resources (standard) from the dropdown list. On the Create stack page, choose Choose an existing template and Upload a template file. Then, choose Choose file and select pre-requisite.yml. Choose Next. On the Specify stack details page, enter values for the parameters as described in Additional information. Then, choose Next. On the Configure stack options page, choose the IAM role for creating the resources as described in Prerequisites. Then, choose Next. On the Review and create page, choose Submit. On the details page for the stack, choose the Resources and Outputs tabs. Make a note of the values for the S3Lambda, CKMSKeyArn, and CKMSKeyId parameters that are used in the following steps.	AWS administrator, AWS DevOps, Build lead, DevOps engineer
Upload the .zip files to the Amazon S3 bucket.	Upload the notification.zip and approval.zip files that you created earlier to the Amazon S3 bucket named S3LambdaBucket. The app-security.yml CloudFormation stack file uses S3LambdaBucket to provision the Lambda function.	AWS DevOps, Build lead, DevOps engineer, AWS systems administrator

Execute the app-security.yml stack file

Task	Description	Skills required
Execute the app-security.yml stack file.	The app-security.yml stack files deploys the remaining infrastructure for the notification and the approval system. To execute the app-security.yml file, do the following: Sign in to the AWS Management Console, and open the AWS CloudFormation console. Choose Create stack, and then choose With new resources (standard) from the dropdown list. On the Create stack page, choose Choose an existing template and Upload a template file. Then, choose Choose file and select app-security.yml. Choose Next. On the Specify stack details page, enter values for the parameters as described in Additional information. Then, choose Next. On the Configure stack options page, choose the IAM role for creating the resources as described in Prerequisites. Then, choose Next. On the Review and create page, choose Submit.	AWS DevOps, AWS systems administrator, DevOps engineer, Build lead
Test the notification setup.	To test the notification setup, do the following: Open the Amazon SNS console. In the left navigation pane, choose Topics. Select the topic name that ends with LambdaToAWSSlackChatbot. On the topic’s details page, choose Publish message. On the Publish message to topic page, for Message body to send to the endpoint, enter the following: { "version": "1.0", "source": "custom", "content": { "description": ":warning: This is a test notification" } } Choose Publish message. After the test message is delivered successfully, you should see a notification on the Slack channel. For more information, see Test notifications from AWS services to Slack in the AWS Chatbot Administrator Guide.	AWS DevOps, AWS systems administrator, DevOps engineer, Build lead

Set up approval flow

Task	Description	Skills required
Configure custom Lambda action.	To set up the custom AWS Lambda action, do the following: Choose the vertical ellipsis button on the bottom of the delivery notification in your Slack channel. In Manage actions, choose Create. Enter a custom action name, for example, Approve. This name is a unique identifier for your custom action. Enter a name for your custom action button, for example, Approve. This name is shown on a button on your notification. This name should be 20 characters or less and can incorporate emojis. For Custom action type, select Lambda action. Choose Next. Select the AWS account and AWS Region where you want to deploy this action. Choose Load Lambdas. In Define Lambda Function, select a Lambda function that ends with ApprovalEmailLambda. Then, choose Next. To create the Approve button, choose Save on the Display criteria page.	AWS administrator, AWS DevOps, Build lead, DevOps engineer, Slack Admin
Validate approval flow.	To validate that the approval flow works as expected, choose the Approve button in Slack. Slackbot should send a notification on the message thread with the confirmation string Approval Email sent successfully.	AWS administrator, AWS DevOps, DevOps engineer, Slack Admin

Troubleshooting

Issue	Solution
Slack misconfigurations	For information about troubleshooting issues related to Slack misconfigurations, see Troubleshooting AWS Chatbot in the AWS Chatbot Administrator Guide.
Scan failed because of some other reason	This error means that the code build task has failed. To troubleshoot the issue, go to the link that’s in the message. The failure of the code build task might have the following possible causes: The application is not packaged properly. The sonar-scanner command can’t find the sonar.project.env.properties file. The values for the SonarFileName, SonarFileDirectory, or SonarToken parameters are incorrect. Check the values, and then execute the stack files again. The Sonar host is not reachable. Other issues that you can use the logs to troubleshoot.

Related resources

AWS documentation

• Configure a Slack client

• Creating a custom action

• Creating an email address identity procedure

• Tutorial: Get started with Slack

Other resources

• Add apps to your Slack workspace (Slack documentation)

• Generating and using tokens (SonarQube documentation)

• Introduction to the server installation (SonarQube documentation)

Additional information

This solution emphasizes AWS Chatbot custom actions for release management purposes. However, you can reuse the solution by modifying the Lambda code for your specific use case and build on top of it.

Parameters of CloudFormation stack files

The following table shows the parameters and their descriptions for the CloudFormation stack file pre-requisite.yml.

Key	Description
StackName	The name of the CloudFormation stack.
S3LambdaBucket	The name of the Amazon S3 bucket where you upload the Lambda code. The name must be globally unique.
SonarToken	The SonarQube user token as described in Prerequisites.

The following table shows the parameters and their descriptions for the CloudFormation stack file app-security.yml.

Key	Description
CKMSKeyArn	The AWS KMS key Amazon Resource Name (ARN) that is used in IAM roles and Lambda functions created in this stack.
CKMSKeyId	The AWS KMS key ID that is used in the Amazon SNS topic created in this stack.
EnvironmentType	The name of the client environment for deployment of the application scan pipeline. Select the environment name from the dropdown list of allowed values.
S3LambdaBucket	The name of the Amazon S3 bucket that contains the approval.zip and notification.zip files.
SESEmail	The name of the registered email identity in Amazon SES as described in Prerequisites. This identity is the source email address.
SharedInboxMail	The destination email address to which the scan notifications are sent.
SlackChannelId	The channel ID of the Slack channel where you want the notifications sent. To find the channel ID, right-click the channel name in Channel Details on the Slack app. The channel ID is at the bottom.
SlackWorkspaceId	The Slack workspace ID as described in Prerequisites. To find the Slack workspace ID, sign in to the AWS Management Console, open the AWS Chatbot console, and choose Configured clients, Slack, WorkspaceID.
StackName	The name of the CloudFormation stack.
SonarFileDirectory	The directory that contains the sonar.project.<env>.properties file.
SonarFileName	The name of the sonar.project.<env>properties file.
SourceCodeZip	The name of the .zip file that contains the sonar.project.<env>properties file and the source code.