chore: new tool to run cfn-guard to detect inline broad scoped permissions

[QuantumNeuralCoder]

Issue # (if applicable)

None

Closes #.
None

Reason for this change

• Adds a new tool to run cfn-guard
• Enhances PR linter to find added or updated snapshot templates and run cfn-guard through them for detecting inline broad trust policy

Description of changes

Refer README.md
Also refer the pr-linter change here. This will be opened once current PR is merged.

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Tested on personal fork. Refer QuantumNeuralCoder#6
PR Linter output shows test results.

Checklist

• [ x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (74cbe27) to head (62b80d8).
Report is 30 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #34115   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112           

Flag	Coverage Δ
suite.unit	83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[QuantumNeuralCoder]

Exemption Request since github workflow separately tested on personal fork.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[moelasmar]

since cfn-guard is required, I believe it worth adding a step to install cfn-guard, so we do not need every time we use this GH action to add a step to install it

[moelasmar]

should we remove the author :)

[moelasmar]

I think the rules set file will be always a local file in the repo, why shall we download it ?

[QuantumNeuralCoder]

Addressed all in latest commit

[moelasmar]

this is not required

[QuantumNeuralCoder]

the PR Linter trigger will trigger this workflow along with PR Linter.

[moelasmar]

why do we need to link it to PR Linter ?

[moelasmar]

why do we need this step ?

[QuantumNeuralCoder]

shas are referred in the next step. i have renamed the validate-pr step

[moelasmar]

what is the value of these steps ?

[moelasmar]

do not think we need these permissions, we will not update the PR

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 62b80d8
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository