aws · GarrettBeatty · May 1, 2025 · May 1, 2025 · May 1, 2025 · May 1, 2025
diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure Load Balancer Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4
         with:
           role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }}
           role-duration-seconds: 7200
@@ -29,7 +29,7 @@ jobs:
           $roleArn=$(cat ./response.json)
           "roleArn=$($roleArn -replace '"', '')" >> $env:GITHUB_OUTPUT
       - name: Configure Test Runner Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4
         with:
           role-to-assume: ${{ steps.lambda.outputs.roleArn }}
           role-duration-seconds: 7200
@@ -41,7 +41,7 @@ jobs:
           project-name: ${{ secrets.CI_TESTING_CODE_BUILD_PROJECT_NAME }}
       - name: Configure Test Sweeper Lambda Credentials
         if: always()
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4
         with:
           role-to-assume: ${{ steps.lambda.outputs.roleArn }}
           role-duration-seconds: 7200

diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml
@@ -12,11 +12,11 @@ jobs:
 
     steps:
       - name: Checkout PR code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get List of Changed Files
         id: changed-files
-        uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf #v45
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v45
 
       - name: Check for Change File(s) in .autover/changes/
         run: |

diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml
@@ -6,7 +6,7 @@ jobs:
     auto_comment:
         runs-on: ubuntu-latest
         steps:
-        - uses: aws-actions/closed-issue-message@v1
+        - uses: aws-actions/closed-issue-message@v2
           with:
             # These inputs are both required
             repo-token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml
@@ -31,14 +31,14 @@ jobs:
           aws-region: us-west-2
       # Retrieve the Access Token from Secrets Manager
       - name: Retrieve secret from AWS Secrets Manager
-        uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8
+        uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9
         with:
           secret-ids: |
             AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}
           parse-json-secrets: true
       # Checkout a full clone of the repo
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2
         with:
           fetch-depth: '0'
           token: ${{ env.AWS_SECRET_TOKEN }}

diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml
@@ -5,7 +5,7 @@ on:
   pull_request:
 
   push:
-    branches: ["dev", "main"]
+    branches: ["dev", "master"]
 
   schedule:
     - cron: '23 20 * * 1'
@@ -35,7 +35,7 @@ jobs:
             p/owasp-top-ten
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 
         with:
           sarif_file: semgrep.sarif
-        if: always()
+        if: always()
diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml
@@ -32,14 +32,14 @@ jobs:
           aws-region: us-west-2
       # Retrieve the Access Token from Secrets Manager
       - name: Retrieve secret from AWS Secrets Manager
-        uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8
+        uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9
         with:
           secret-ids: |
             AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}
           parse-json-secrets: true
       # Checkout a full clone of the repo
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2
         with:
           ref: dev
           fetch-depth: 0
@@ -111,7 +111,7 @@ jobs:
     steps:
       # Checkout a full clone of the repo
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2
         with:
           ref: releases/next-release
           fetch-depth: 0

diff --git a/.github/workflows/update-Dockerfiles.yml b/.github/workflows/update-Dockerfiles.yml
@@ -45,7 +45,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2
         with:
           ref: 'dev'
 

diff --git a/.semgrepignore b/.semgrepignore
@@ -0,0 +1,15 @@
+# Ignore test and example files containing dummy credentials
+**/test/**/*.json
+**/tests/**/*.json
+**/SampleRequests/**/*.json
+**/*.example.*
+**/*.test.*
+**/*.min.js
+**/env.configs.yml
+
+# Ignore third-party libraries
+**/node_modules/**
+**/vendor/**
+**/dist/**
+**/build/**
+**/bootstrap/**/*.js
diff --git a/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile b/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile
@@ -17,4 +17,7 @@ RUN dotnet publish "Sample.csproj" -c Release -o /app/publish
 FROM base AS final
 COPY --from=publish /app/publish ${LAMBDA_TASK_ROOT}
 # ref. https://docs.aws.amazon.com/lambda/latest/dg/csharp-handler.html#csharp-handler-signatures
+# Create a non-root user and switch to it
+RUN adduser --disabled-password --gecos "" appuser
+USER appuser
 CMD [ "Sample::Sample.Function::FunctionHandler" ]
diff --git a/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs b/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs
@@ -7,7 +7,7 @@ namespace Amazon.Lambda.Annotations
     /// can be injected into Lambda functions.
     /// </summary>
     /// <remarks>
-    /// The class should implement a ConfigureServices method that 
+    /// The class should implement a ConfigureHostBuilder method (recommended) or ConfigureServices (legacy) that 
     /// adds one or more services to an IServiceCollection.
     /// </remarks>
     [AttributeUsage(AttributeTargets.Class)]

diff --git a/Libraries/test/TestServerlessApp/serverless.template b/Libraries/test/TestServerlessApp/serverless.template
@@ -18,7 +18,11 @@
         {
           "Ref": "ArchitectureTypeParameter"
         }
-      ]
+      ],
+      "Tags": {
+        "aws-tests": "TestServerlessApp",
+        "aws-repo": "aws-lambda-dotnet"
+      }
     }
   },
   "Resources": {