Skip to content

Update buildspec.yaml #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ishu599 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update buildspec.yaml #37

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions DevOps-Project-23/Swiggy_clone/buildspec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ phases:
# post_build:
# commands:
# - echo "Performing Trivy image scan after building the image..."
# - aws ses send-email --from "madithati123@gmail.com" --to "madithatisreedhar123@gmail.com" --subject "CodeBuild Status: $CODEBUILD_BUILD_ID" --text "Build status: $CODEBUILD_BUILD_STATUS" --region "ap-south-1"
# - aws ses send-email --from "ishuraghuvinder@gmail.com" --to "madithatisreedhar123@gmail.com" --subject "CodeBuild Status: $CODEBUILD_BUILD_ID" --text "Build status: $CODEBUILD_BUILD_STATUS" --region "ap-south-1"

# # - trivy image "$DOCKER_REGISTRY_USERNAME/swiggy:latest" >> trivyimage.txt
# # - echo "Running OWASP Dependency-Check scan..."
Expand All @@ -48,19 +48,20 @@ phases:
# # - echo "Build completed successfully!"
# # - echo "Running SonarQube analysis result"
# # - sonar-scanner -Dsonar.projectKey=swiggy -Dsonar.sources=. -Dsonar.host.url=http://65.1.1.149:9000/
# #- aws ses send-email --from "madithati123@gmail.com" --to "madithatisreedhar123@gmail.com" --subject "CodeBuild Status: $CODEBUILD_BUILD_ID" --text "Build status: $CODEBUILD_BUILD_STATUS" --region "ap-south-1"
# #- aws ses send-email --from "ishuraghuvinder@gmail.com" --to "madithatisreedhar123@gmail.com" --subject "CodeBuild Status: $CODEBUILD_BUILD_ID" --text "Build status: $CODEBUILD_BUILD_STATUS" --region "ap-south-1"
# # Update with your preferred AWS region

post_build:
commands:
- aws ses send-email \
--from "madithati123@gmail.com" \
--to "madithati123@gmail.com" \
- |
aws ses send-email \
--from "ishuraghuvinder@gmail.com" \
--to "ishuraghuvinder@gmail.com" \
Comment on lines +58 to +59

@coderabbitai coderabbitai Bot Jun 4, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Hardcoded email addresses expose PII and create security/maintainability risks.

Personal email addresses are hardcoded directly in the repository, which:

  • Exposes PII (Personally Identifiable Information) to anyone with repository access
  • Creates a spam/phishing target
  • Makes the configuration inflexible and harder to maintain
  • Violates security best practices for managing sensitive data
🔒 Proposed fix: Use AWS Systems Manager Parameter Store

Store email addresses in Parameter Store and reference them in the buildspec:

Update the env.parameter-store section:

 env:
   parameter-store:
     DOCKER_REGISTRY_USERNAME: /cicd/docker-credentials/username
     DOCKER_REGISTRY_PASSWORD: /cicd/docker-credentials/password
     DOCKER_REGISTRY_URL: /cicd/docker-registry/url
     SONAR_TOKEN: /cicd/sonar/sonar-token
+    NOTIFICATION_FROM_EMAIL: /cicd/ses/from-email
+    NOTIFICATION_TO_EMAIL: /cicd/ses/to-email

Then update the SES command:

 post_build:
   commands:
     - |
       aws ses send-email \
-        --from "ishuraghuvinder@gmail.com" \
-        --to "ishuraghuvinder@gmail.com" \
+        --from "$NOTIFICATION_FROM_EMAIL" \
+        --to "$NOTIFICATION_TO_EMAIL" \
         --subject "CodeBuild Status: $CODEBUILD_BUILD_ID" \
         --text "Build status: $CODEBUILD_BUILD_STATUS" \
         --region "eu-north-1"

Create the parameters:

aws ssm put-parameter --name /cicd/ses/from-email --value "your-verified-email@example.com" --type String
aws ssm put-parameter --name /cicd/ses/to-email --value "recipient@example.com" --type String
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@DevOps-Project-23/Swiggy_clone/buildspec.yaml` around lines 58 - 59, Replace
the hardcoded emails used in the SES command (--from and --to) with Parameter
Store references and load them via the buildspec env.parameter-store
configuration; update the buildspec.yaml to declare parameters (e.g.,
/cicd/ses/from-email and /cicd/ses/to-email) and change the SES invocation to
use the parameter values instead of literal addresses so the SES command (the
lines containing "--from" and "--to") reads values from the parameter-store
variables; also ensure CI/CD secrets are created in SSM (aws ssm put-parameter
...) with verified SES addresses before the pipeline runs.

--subject "CodeBuild Status: $CODEBUILD_BUILD_ID" \
--text "Build status: $CODEBUILD_BUILD_STATUS" \
--region "us-east-1" # Update with your preferred AWS region
--region "eu-north-1"


artifacts:
files:
- appspec.yaml
- appspec.yaml