Conversation
Customer (aymenrc) reported AWS auto-fix falling back to manual steps with "required parameters were not properly provided… metric transformations were not properly provided to the CloudWatch Logs API" on the CIS CloudWatch metric-filter checks. That finding IS meant to be auto-fixable (PutMetricFilter + CreateTopic + PutMetricAlarm — all standard API calls), so this is a bug, not an inherently-manual finding. Root cause: PutMetricFilterCommand was absent from REQUIRED_PARAMS, so a step with a missing/mis-shaped `metricTransformations` wasn't caught before execution — it went to AWS, got rejected, and fell back to manual steps. The model commonly emits metricTransformations as a single object instead of an array, or metricValue as the number 1 instead of "1", both of which AWS rejects. - aws-command-executor: add PutMetricFilterCommand to REQUIRED_PARAMS (logGroupName, filterName, filterPattern, metricTransformations) so a missing field fails fast and triggers the existing AI repair pass; and add a deterministic normalizer (normalizeMetricFilterTransformations) that wraps a single transformation object in an array and coerces metricValue to a string. - ai-remediation.prompt: explicit PutMetricFilter shape guidance (metricTransformations array, string metricValue, real logGroupName). - Tests: REQUIRED_PARAMS enforcement + normalizer cases. Full cloud-security suite green (310 passing); changed files typecheck clean. Not yet verified against a live failing finding — covers the failure class. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
fix(cloud-security): make CloudWatch metric-filter auto-fix reliable
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 3 files
Confidence score: 3/5
- There is a concrete behavior mismatch in
apps/api/src/cloud-security/aws-command-executor.ts:PutMetricFilterCommandcurrently rejects an emptyfilterPattern, even though AWS permits"", which can block valid requests. - Given the medium severity (6/10) and high confidence (9/10), this is a real regression risk for users relying on empty metric filter patterns, so merge risk is moderate rather than low.
- Pay close attention to
apps/api/src/cloud-security/aws-command-executor.ts- validation logic forfilterPatternshould align with AWS semantics forPutMetricFilterCommand.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
… validation Cubic review on #3050: PutMetricFilterCommand had `filterPattern` in REQUIRED_PARAMS, which (via hasRequiredParamValue) rejects an empty string — but AWS allows an empty filterPattern (min length 0; an empty pattern matches all log events). The parameter must be PRESENT, but its value may be "". - Move `filterPattern` out of REQUIRED_PARAMS (which also rejects "") into a new REQUIRED_PRESENT_PARAMS check that only rejects a missing/null value, so "" is accepted while a truly-omitted pattern is still caught before execution. - logGroupName / filterName / metricTransformations stay non-empty-required. - Tests: empty filterPattern is accepted; a missing one is reported via the present-check. Low practical impact (our CIS metric-filter remediations always emit a non-empty pattern), but aligns the validator with AWS semantics. Executor spec green (43); typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…tern fix(cloud-security): allow empty filterPattern for PutMetricFilter validation
Contributor
|
@cubic-dev-ai review it |
Contributor
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
1 issue found across 3 files
Confidence score: 4/5
- This PR looks safe to merge with minimal risk: the only reported issue is medium-low severity (5/10) and is limited to prompt logic rather than a clear runtime break.
- In
apps/api/src/cloud-security/ai-remediation.prompt.ts, conflicting instructions forlogGroupNamecan produce inconsistent PutMetricFilter remediation plans, so behavior may vary across generated outputs. - Given the high confidence (9/10), this is worth a follow-up fix, but it does not appear merge-blocking for core functionality.
- Pay close attention to
apps/api/src/cloud-security/ai-remediation.prompt.ts- conflictinglogGroupNameguidance may lead to inconsistent remediation output.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/api/src/cloud-security/ai-remediation.prompt.ts">
<violation number="1" location="apps/api/src/cloud-security/ai-remediation.prompt.ts:178">
P2: Prompt instructions conflict on `logGroupName` source, which can cause inconsistent remediation plans for PutMetricFilter.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
…ix prompt Cubic follow-up on the metric-filter work: the prompt told the model two different things about the CloudWatch logGroupName — the new CLOUDWATCH METRIC FILTERS section said "use the REAL log group from the read step, never a placeholder", while the older NO-PLACEHOLDERS section said to use a made-up "CloudTrail/DefaultLogGroup" default. That inconsistency could produce varying PutMetricFilter plans. Nothing in code resolves the literal "CloudTrail/DefaultLogGroup" string (real values are filled by the refine pass from read-step output), so the real log group is what's needed. Align the older guidance to "discover the trail's CloudWatch Logs log group in a read step and use that exact name — do not invent one", matching the metric-filter section. Prompt-only change; typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…prompt fix(cloud-security): reconcile conflicting logGroupName guidance in fix prompt
Contributor
|
@cubic-dev-ai review it |
Contributor
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
Contributor
|
🎉 This PR is included in version 3.73.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Fixes AWS auto-fix for CloudWatch metric filters by enforcing required params, allowing empty
filterPattern, normalizing metric transformations, and aligning prompt guidance so plans stop falling back to manual steps. Improves reliability of CIS CloudTrail metric-filter remediation.PutMetricFilterCommand: require non-emptylogGroupName,filterName,metricTransformations; requirefilterPatternto be present but allow "".normalizeMetricFilterTransformationsto wrap a single transformation into an array and coercemetricValueto a string.logGroupName(not "CloudTrail/DefaultLogGroup"); reflect array shape, stringmetricValue, and the empty-filterPatterncase.Written for commit 80d3275. Summary will update on new commits.