AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-06-19 · Documentation medium

File: devopsagent/latest/userguide/connecting-to-cicd-pipelines-connecting-github.md

Summary

Added new section 'Configuring Code Review and Automated Testing' explaining pull request reviews, updated GitHub App permissions documentation, and fixed a broken link.

Security assessment

The change adds security documentation about GitHub App permissions (including read/write access scopes) and recommends using separate IAM roles for runtime operations (principle of least privilege). However, there's no evidence this addresses a specific security vulnerability.

Diff

diff --git a/devopsagent/latest/userguide/connecting-to-cicd-pipelines-connecting-github.md b/devopsagent/latest/userguide/connecting-to-cicd-pipelines-connecting-github.md
index 906d7a2a7..839600808 100644
--- a//devopsagent/latest/userguide/connecting-to-cicd-pipelines-connecting-github.md
+++ b//devopsagent/latest/userguide/connecting-to-cicd-pipelines-connecting-github.md
@@ -7 +7 @@
-PrerequisitesRegistering GitHub (account-level)Connecting repositories to an Agent SpaceUnderstanding the GitHub appGitHub App permission updatesManaging GitHub connections
+PrerequisitesRegistering GitHub (account-level)Connecting repositories to an Agent SpaceConfiguring Code Review and Automated TestingUnderstanding the GitHub appGitHub App permission updatesManaging GitHub connections
@@ -73 +73 @@ If you are connecting to a GitHub Enterprise Server instance, check the **Use Gi
-If your GitHub Enterprise Server instance is not publicly accessible, you can optionally configure a private connection to allow AWS DevOps Agent to securely reach your instance. For more information, see [Connecting to privately hosted tools](./configuring-capabilities-for-aws-devops-agent-connecting-to-privately-hosted-tools.html).
+If your GitHub Enterprise Server instance is not publicly accessible, you can optionally configure a private connection to allow AWS DevOps Agent to securely reach your instance. For more information, see [Connecting to privately hosted tools](./configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.html).
@@ -144,0 +145,32 @@ You can connect different sets of repositories to different Agent Spaces based o
+## Configuring Code Review and Automated Testing
+
+When you select repositories in the GitHub connection step, they are automatically added to the **Code Review and Automated Testing** section. This section configures which repositories will automatically trigger a [Release readiness code reviews](./release-management-release-readiness-code-review.html) when a pull request is created.
+
+The Code Review and Automated Testing configuration includes:
+
+  * **Repository list** — Shows all repositories you selected during the connection step. Use the search field to filter repositories by name.
+
+  * **Change review** — When enabled for a repository, AWS DevOps Agent automatically runs a release readiness code review each time a pull request is opened or updated. Review findings appear as inline comments on the pull request. This is enabled by default for all connected repositories.
+
+  * **Runtime role** — Select the IAM role that DevOps Agent assumes to access internal services needed during builds, such as GitHub Enterprise and artifact storage systems. We recommend using a different role from your primary agent role.
+
+
+
+
+To configure automated reviews:
+
+  1. After connecting your repositories, navigate to the **Code Review and Automated Testing** section in your GitHub integration settings.
+
+  2. Verify that the **Change review** checkbox is enabled for each repository where you want automatic pull request reviews.
+
+  3. Verify that the **Automated sandbox testing** is enabled to enable [Simulated Verification](./release-management-release-readiness-code-review.html) in an AWS-managed sandbox environment.
+
+  4. Select an IAM role from the **Runtime role** dropdown that DevOps Agent will assume when running automated capabilities.
+
+  5. Choose **Save** to apply your configuration.
+
+
+
+
+Once configured, any new pull request in an enabled repository will automatically trigger a release readiness code review. For more information about code reviews, see [Release readiness code reviews](./release-management-release-readiness-code-review.html).
+
@@ -170 +202 @@ AWS DevOps Agent may request permission updates after you install the GitHub App
-  3. Accept the request to grant the updated permissions.
+  3. Click **Accept new permissions** to grant the updated permissions.
@@ -179 +211,13 @@ No changes are required in your service or application. Once you accept the upda
- __Until you accept a permission update, AWS DevOps Agent continues to operate with the previously granted permissions. New capabilities that depend on the updated permissions will not be available until you approve the request.
+ __Until you accept a permission update, AWS DevOps Agent continues to operate with the previously granted permissions. New capabilities that depend on the updated permissions will not be available until you approve the request. The app will retain its current permissions if you choose not to accept the new permissions.
+
+### Requested permissions
+
+The following table describes each permission the AWS DevOps Agent GitHub App requests and why it is needed.
+
+Permission | Access level | Purpose  
+---|---|---  
+Checks | Read and write | Post release readiness code review results as check runs on pull requests, allowing review status to appear directly in the GitHub UI.  
+Workflows | Read and write | Read workflow definitions and trigger GitHub Actions workflows for release testing in your CI/CD pipelines.  
+Actions | Read and write | Monitor GitHub Actions workflow runs and access run logs during incident investigations and release testing.  
+Contents | Read and write | Read repository source code for code review analysis and dependency mapping. Write access enables the agent to propose fixes for identified issues.  
+Pull requests | Read and write | Read pull request details to trigger automated code reviews. Write access enables posting inline review comments with findings and recommended fixes.