feat: initial commit

Author: sgtoj

.editorconfig

@@ -0,0 +1,26 @@
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+
+[{Dockerfile,Dockerfile.*}]
+indent_size = 4
+tab_width = 4
+
+[{Makefile,makefile,GNUmakefile}]
+indent_style = tab
+indent_size = 4
+
+[Makefile.*]
+indent_style = tab
+indent_size = 4
+
+[**/*.{go,mod,sum}]
+indent_style = tab
+indent_size = unset
+
+[**/*.py]
+indent_size = 4

.env.example

@@ -0,0 +1,6 @@
+APP_DEBUG_ENABLED=true
+APP_SLACK_CHANNEL=
+APP_SLACK_TOKEN=
+APP_AWS_CONSOLE_URL=https://console.aws.amazon.com
+APP_AWS_ACCESS_PORTAL_URL=
+APP_AWS_ACCESS_ROLE_NAME=

.github/.dependabot.yaml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/release.yaml

@@ -0,0 +1,29 @@
+name: release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Bump Version
+        id: tag_version
+        uses: mathieudutour/github-tag-action@v6.1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          default_bump: minor
+          custom_release_rules: bug:patch:Fixes,chore:patch:Chores,docs:patch:Documentation,feat:minor:Features,refactor:minor:Refactors,test:patch:Tests,ci:patch:Development,dev:patch:Development
+      - name: Create Release
+        uses: ncipollo/release-action@v1.12.0
+        with:
+          tag: ${{ steps.tag_version.outputs.new_tag }}
+          name: ${{ steps.tag_version.outputs.new_tag }}
+          body: ${{ steps.tag_version.outputs.changelog }}

.github/workflows/semantic-check.yaml

@@ -0,0 +1,26 @@
+name: semantic-check
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  main:
+    name: Semantic Commit Message Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - uses: amannn/action-semantic-pull-request@v5.2.0
+        name: Check PR for Semantic Commit Message
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          requireScope: false
+          validateSingleCommit: true

.gitignore

@@ -0,0 +1,12 @@
+!**/.gitkeep
+
+tmp/
+dist/
+.DS_Store
+
+.local/
+.env
+
+cognito-hooks-go
+main
+

AGENTS.md

@@ -0,0 +1,32 @@
+# Agent Guidelines
+
+## Build & Test
+- **Build Lambda**: `GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -C cmd/lambda -o ../../dist/bootstrap`
+- **Test all**: `make test` (runs with `-race -count=1`)
+- **Test single package**: `go test -race -count=1 ./internal/app`
+- **Test single function**: `go test -race -count=1 ./internal/app -run TestFunctionName`
+- **Run sample locally**: `go run -C cmd/sample .` (requires `.env` file)
+- **Lint**: `go vet ./...` and `gofmt -l .`
+
+## Code Style
+- **Imports**: stdlib, then blank line, then third-party, then local (e.g., `internal/`)
+- **Naming**: Go standard - `PascalCase` exports, `camelCase` private, `ALL_CAPS` for env vars prefixed with `APP_`
+- **Error handling**: return errors up the stack; use `fmt.Errorf` for wrapping
+- **Structs**: define types in package, constructors as `New()` or `NewTypeName()`; all methods must be public (PascalCase)
+- **Interfaces**: keep minimal (e.g., `SecurityHubEvent` has 2 methods)
+- **Formatting**: use `gofmt` (tabs for indentation)
+- **Comments**: rare, lowercase, short, concise; code should be self-documenting
+- **Code smells**: keep to minimum; prefer clear naming over comments
+
+## Architecture
+- `cmd/lambda/main.go` - Lambda handler entry point
+- `cmd/sample/main.go` - Local development runner using fixtures
+- `internal/app/` - Core application logic and configuration
+- `internal/events/` - OCSF event parsing and Slack message formatting
+- `fixtures/samples.json` - Sample Security Hub v2 OCSF findings for testing
+
+## Important Notes
+- This project is specifically for **AWS Security Hub v2** which uses OCSF (Open Cybersecurity Schema Framework) format
+- It is NOT compatible with the original AWS Security Hub (now called Security Hub CSPM) ASFF format
+- Security Hub v2 centralizes findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and Security Hub CSPM
+- Events use OCSF fields like `finding_info`, `metadata`, `severity`, `class_name`, etc.

Makefile

@@ -0,0 +1,24 @@
+# set mac-only linker flags only for go test (not global)
+UNAME_S := $(shell uname -s)
+TEST_ENV :=
+ifeq ($(UNAME_S),Darwin)
+  TEST_ENV = CGO_LDFLAGS=-w
+endif
+
+TEST_FLAGS := -race -count=1
+.PHONY: build-debug
+build-debug:
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go build -trimpath -ldflags "-s -w" -o dist/sample ./cmd/sample
+
+.PHONY: debug
+debug:
+	go run ./cmd/sample
+
+.PHONY: test
+test:
+	$(TEST_ENV) go test $(TEST_FLAGS) ./...
+
+.PHONY: test-unit
+test-unit:
+	$(TEST_ENV) go test $(TEST_FLAGS) ./internal/...
+

README.md

@@ -0,0 +1,119 @@
+# aws-securityhub-integration-slack-go
+
+AWS Lambda function that sends **AWS Security Hub v2** findings to Slack via EventBridge. **Security Hub v2** uses OCSF (Open Cybersecurity Schema Framework) format and centralizes findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and Security Hub CSPM.
+
+> **Note:** This is for Security Hub v2 only. Not compatible with the original AWS Security Hub (now called Security Hub CSPM).
+
+## Features
+
+* **multi-service support** – handles findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, and Security Hub CSPM
+* **ocsf format** – native support for Security Hub v2 OCSF schema
+* **eventbridge trigger** – findings invoke the Lambda function directly
+* **rich messages** – displays source service, severity, category, region, account, resource details, and remediation links
+* **config-driven** – all behavior controlled by environment variables
+* **severity filtering** – EventBridge rules can filter by severity (Critical/High only)
+
+---
+
+## Deployment
+
+### Prerequisites
+
+* AWS account with **AWS Security Hub v2** enabled in at least one region
+  * **Important:** This must be Security Hub v2, not the original Security Hub (now Security Hub CSPM)
+  * Security Hub v2 uses OCSF format and has product ARNs like `arn:aws:securityhub:region::productv2/aws/guardduty`
+* At least one integrated security service enabled (GuardDuty, Inspector, Macie, IAM Access Analyzer, or Security Hub CSPM)
+* Slack App with a Bot Token (`chat:write` scope) installed in your workspace
+* Go ≥ 1.24
+* AWS CLI configured for the deployment account
+
+### Steps
+
+```bash
+git clone https://github.com/cruxstack/aws-securityhub-integration-slack-go.git
+cd aws-securityhub-integration-slack-go
+
+# build static Linux binary for lambda
+mkdir -p dist
+GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -C cmd/lambda -o ../../dist/bootstrap
+
+# package
+cd dist && zip deployment.zip bootstrap && cd ..
+```
+
+## Required Environment Variables
+
+| name                        | example                                    | purpose                                                      |
+| --------------------------- | ------------------------------------------ | ------------------------------------------------------------ |
+| `APP_SLACK_TOKEN`           | `xoxb-…`                                   | slack bot token (store in secrets manager)                   |
+| `APP_SLACK_CHANNEL`         | `C000XXXXXXX`                              | channel id to post findings                                  |
+
+## Optional Environment Variables
+
+| name                        | example                                    | purpose                                                      | default                           |
+| --------------------------- | ------------------------------------------ | ------------------------------------------------------------ | --------------------------------- |
+| `APP_DEBUG_ENABLED`         | `true`                                     | verbose logging & event dump                                 | `false`                           |
+| `APP_AWS_CONSOLE_URL`       | `https://console.aws.amazon.com`           | base AWS console URL                                         | `https://console.aws.amazon.com`  |
+| `APP_AWS_ACCESS_PORTAL_URL` | `https://myorg.awsapps.com/start`          | AWS access portal URL (for federated access)                 | _(none - direct console links)_   |
+| `APP_AWS_ACCESS_ROLE_NAME`  | `SecurityAuditor`                          | IAM role name for access portal                              | _(none - direct console links)_   |
+
+## Create Lambda Function
+
+1. **IAM role**
+   * `AWSLambdaBasicExecutionRole` managed policy
+   * no additional AWS API permissions are required
+2. **Lambda config**
+   * Runtime: `al2023provided.al2023` (provided.al2 also works)
+   * Handler: `bootstrap`
+   * Architecture: `x86_64` or `arm64`
+   * Upload `deployment.zip`
+   * Set environment variables above
+3. **EventBridge rule**
+    ```json
+    {
+      "source": ["aws.securityhub"],
+      "detail-type": ["Security Hub Findings - Imported"]
+    }
+   ```
+   Optional: Filter by severity (recommended for high-volume environments):
+    ```json
+    {
+      "source": ["aws.securityhub"],
+      "detail-type": ["Security Hub Findings - Imported"],
+      "detail": {
+        "severity": ["Critical", "High"]
+      }
+    }
+   ```
+   Or filter by specific source services:
+    ```json
+    {
+      "source": ["aws.securityhub"],
+      "detail-type": ["Security Hub Findings - Imported"],
+      "detail": {
+        "metadata": {
+          "product": {
+            "name": ["GuardDuty", "Inspector"]
+          }
+        }
+      }
+    }
+   ```
+   Target: the Lambda function.
+4. **Slack App**
+   * Add `chat:write` and `chat:write.public`
+   * Custom bot avatar: upload AWS Security Hub logo in the Slack App *App Icon*
+     section.
+
+
+## Local Development
+
+### Test with Samples
+
+```bash
+cp .env.example .env # edit the values
+go run -C cmd/sample .
+```
+
+The sample runner reads OCSF-formatted Security Hub v2 findings from `fixtures/samples.json`, wraps them in EventBridge events, and posts to Slack exactly as the live Lambda would.
+