aws-solutions-library-samples
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 54 additions & 2 deletions b/‎.gitlab-ci.yml‎
Lines changed: 54 additions & 2 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 21 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 5 deletions b/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎Makefile‎
Lines changed: 18 additions & 16 deletions b/‎Makefile‎
Lines changed: 18 additions & 16 deletions
diff --git a/‎scripts/README.md‎
Lines changed: 3 additions & 3 deletions b/‎scripts/README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎scripts/dsr/README.md‎
Lines changed: 0 additions & 148 deletions b/‎scripts/dsr/README.md‎
Lines changed: 0 additions & 148 deletions
@@ -23,7 +23,7 @@ __pycache__
 .kiro
 notebooks/examples/data
 .idea/
-.dsr/
+.srt/
 *tmp-dev-assets*
 scratch/
 .mcp.json
 
@@ -22,6 +22,7 @@ stages:
   - developer_tests
   - deployment_validation
   - integration_tests
+  - security_review
 
 developer_tests:
   stage: developer_tests
@@ -115,7 +116,7 @@ integration_tests:
       when: manual
     - if: $CI_COMMIT_BRANCH =~ /^release\/.*/
       when: manual
-    - when: manual
+    - when: never
 
   before_script:
     - apt-get update -y
@@ -192,4 +193,55 @@ integration_tests:
     paths:
       - pipeline_execution_id.txt
       - codebuild_logs.txt
-    expire_in: 1 week
+    expire_in: 1 week
+
+srt_security_review:
+  stage: security_review
+  timeout: 30m  # SRT scan typically takes 5-10 minutes
+
+  # Use runner with more memory for SRT security scanning
+  # saas-linux-medium-amd64: 4 vCPUs, 16 GB RAM
+  tags:
+    - size:large
+
+  # Only run on merge requests targeting develop branch
+  rules:
+    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop"
+      when: on_success
+    - when: never
+
+  before_script:
+    - python --version
+    - apt-get update -y
+    - apt-get install curl python3-pip -y
+    # Install Python dependencies for SRT setup script
+    - pip install --upgrade pip
+
+  script:
+    - echo "Running SRT (Sample Security Review Tool) security assessment..."
+    - echo "This stage only runs on merge requests targeting develop branch"
+    - make srt-setup
+    - make srt-scan
+
+  after_script:
+    - |
+      if [ -d ".srt" ]; then
+        echo "SRT assessment completed"
+        # Copy SRT reports to artifacts root for easy access
+        [ -f ".srt/issues.json" ] && cp .srt/issues.json srt-issues.json
+        [ -f ".srt/dashboard.html" ] && cp .srt/dashboard.html srt-dashboard.html
+        [ -f ".srt/bandit-summary.json" ] && cp .srt/bandit-summary.json srt-bandit-summary.json
+        [ -f ".srt/syft-summary.json" ] && cp .srt/syft-summary.json srt-syft-summary.json
+        echo "✓ SRT reports captured for download"
+      fi
+
+  artifacts:
+    when: always
+    paths:
+      - srt-issues.json
+      - srt-dashboard.html
+      - srt-bandit-summary.json
+      - srt-syft-summary.json
+    reports:
+      # Future: Add security scanning report format when GitLab supports it
+    expire_in: 1 week
@@ -5,6 +5,10 @@ SPDX-License-Identifier: MIT-0
 
 ## [Unreleased]
 
+### Changed
+
+- **Replaced DSR with open-source SRT security scanning tool** — Migrated from deprecated internal DSR (Design Security Review) tool to the actively maintained open-source [Sample Security Review Tool (SRT)](https://github.com/aws-samples/sample-security-review-tool). Added automated security scanning in GitLab CI/CD pipeline that runs on merge requests targeting `develop` branch. Pipeline fails if security findings are detected, providing a security gate before production deployments. New Makefile targets: `make srt`, `make srt-setup`, `make srt-scan`, `make srt-fix`. Updated documentation in CLAUDE.md, CONTRIBUTING.md, and scripts/README.md.
+  
 ## [0.5.9]
 
 ### Added
 
@@ -64,7 +64,7 @@ make lint-cicd
 ### Testing
 
 ```bash
-# Run all tests (idp_common_pkg + idp_cli)
+# Run all tests (idp_common_pkg + idp_cli + srt security scan)
 make test
 
 # Run tests in idp_common_pkg only
@@ -84,6 +84,26 @@ pytest -m "unit"
 pytest -m "integration"
 ```
 
+### Security Scanning
+
+The project includes automated security scanning with the [Sample Security Review Tool (SRT)](https://github.com/aws-samples/sample-security-review-tool):
+
+```bash
+# Run full SRT workflow (setup → scan → optional fix)
+make srt
+
+# Or run individual steps:
+make srt-setup     # Download and configure SRT
+make srt-scan      # Run security assessment
+make srt-fix       # Interactive fix mode
+```
+
+**CI/CD Integration:**
+- SRT automatically runs on merge requests targeting `develop` branch (GitLab CI `security_review` stage)
+- Does not run on feature branch pushes to avoid blocking development
+- Pipeline fails if high-priority security findings are detected
+- Provides security gate before code is merged to `develop`
+
 ### IDP CLI Commands
 
 The IDP CLI is used for programmatic deployment and batch processing:
 
@@ -204,14 +204,14 @@ make ui-start STACK_NAME=my-idp-stack
 | `make docs-build` | Build documentation site (no serve) |
 | `make docs-deploy` | Deploy docs to GitHub Pages (from local build) |
 
-### Security (DSR)
+### Security (SRT)
 
 | Command | Description |
 |---------|-------------|
-| `make dsr` | Run full DSR workflow (setup → scan → optional fix) |
-| `make dsr-setup` | Set up DSR tool |
-| `make dsr-scan` | Run DSR security scan |
-| `make dsr-fix` | Run DSR interactive fix |
+| `make srt` | Run full SRT workflow (setup → scan → optional fix) |
+| `make srt-setup` | Download and configure SRT tool |
+| `make srt-scan` | Run SRT security assessment |
+| `make srt-fix` | Run SRT interactive fix |
 
 ## Coding Standards
 
 
@@ -197,14 +197,16 @@ typecheck-pr: ## Type check only files changed vs TARGET_BRANCH (default: main)
 	$(PYTHON) scripts/sdlc/typecheck_pr_changes.py $(TARGET_BRANCH)
 
 ##@ Testing
-test: ## Run all tests (idp_common, cli, sdk, capacity, config library)
+test: ## Run all tests (idp_common, cli, sdk, capacity, config library, srt)
 	$(MAKE) -C lib/idp_common_pkg test PYTHON=$(PYTHON)
 	cd lib/idp_cli_pkg && $(PYTHON) -m pytest -v
 	cd lib/idp_sdk && $(PYTHON) -m pytest -m "not integration" -v
 	@echo "Running capacity planning Lambda tests..."
 	cd src/lambda/calculate_capacity && $(PYTHON) -m pytest -v
 	@echo "Validating config library files..."
 	$(PYTHON) -m pytest config_library/test_config_library.py -v
+	@echo "Running SRT security scan..."
+	$(MAKE) srt
 
 test-cli: ## Run only IDP CLI tests
 	@echo "Running IDP CLI tests..."
@@ -379,28 +381,28 @@ docs-deploy: docs-build ## Deploy docs to GitHub Pages (from local build)
 	cd docs-site && npx gh-pages -d dist --dotfiles --repo https://github.com/aws-solutions-library-samples/accelerated-intelligent-document-processing-on-aws.git
 	@echo -e "$(GREEN)✅ Docs deployed to GitHub Pages!$(NC)"
 
-##@ Security (DSR)
-dsr: ## Run full DSR workflow (setup → scan → optional fix)
-	@$(MAKE) dsr-setup
-	@$(MAKE) dsr-scan
+##@ Security (SRT)
+srt: ## Run full SRT workflow (setup → scan → optional fix)
+	@$(MAKE) srt-setup
+	@$(MAKE) srt-scan
 	@echo ""
-	@echo "Do you want to run DSR fix? (y/N):"
+	@echo "Do you want to run SRT fix? (y/N):"
 	@read answer && \
 	if [ "$$answer" = "y" ] || [ "$$answer" = "Y" ]; then \
-		$(MAKE) dsr-fix; \
+		$(MAKE) srt-fix; \
 	fi
 
-dsr-setup: ## Set up DSR tool
-	@echo "Setting up DSR tool..."
-	$(PYTHON) scripts/dsr/setup.py
+srt-setup: ## Download and configure SRT tool
+	@echo "Setting up SRT tool..."
+	$(PYTHON) scripts/srt/setup.py
 
-dsr-scan: ## Run DSR security scan
-	@echo "Running DSR security scan..."
-	$(PYTHON) scripts/dsr/run.py
+srt-scan: ## Run SRT security assessment
+	@echo "Running SRT security assessment..."
+	$(PYTHON) scripts/srt/run.py
 
-dsr-fix: ## Run DSR interactive fix
-	@echo "Running DSR interactive fix..."
-	$(PYTHON) scripts/dsr/fix.py
+srt-fix: ## Run SRT interactive fix
+	@echo "Running SRT interactive fix..."
+	$(PYTHON) scripts/srt/fix.py
 
 ##@ Deploy
 # Thin wrappers around `idp-cli publish` / `deploy` / `delete` for the common
 
@@ -7,7 +7,7 @@ This directory contains utility scripts for building, testing, deploying, and op
 ```
 scripts/
 ├── setup/               # Development environment setup scripts
-├── dsr/                 # DSR (Deliverable Security Review) integration
+├── srt/                 # SRT (Sample Security Review Tool) integration
 ├── sdlc/                # SDLC CI/CD scripts and infrastructure
 │   ├── cfn/             # CloudFormation templates for CI/CD pipeline
 │   └── [scripts]        # CI/CD automation scripts
@@ -19,8 +19,8 @@ scripts/
 ### `setup/` - Development Environment Setup
 Setup scripts for different operating systems. See [setup/README.md](setup/README.md).
 
-### `dsr/` - DSR Security Scanning
-DSR (Deliverable Security Review) integration for automated security scanning. See [dsr/README.md](dsr/README.md).
+### `srt/` - SRT Security Scanning
+SRT (Sample Security Review Tool) integration for automated security scanning. See [srt/README.md](srt/README.md).
 
 ### `sdlc/` - SDLC CI/CD Scripts and Infrastructure
 CloudFormation templates and scripts for CI/CD pipeline infrastructure.