AWS Security ChangesHomeSearch

AWS inspector documentation change

Service: inspector · 2026-06-25 · Documentation low

File: inspector/latest/user/sbomgen-plugin-testing-guide.md

Summary

Added security guidelines for test data management regarding file access boundaries and sensitive data.

Security assessment

The change documents security best practices for testing (avoiding external file dependencies and preventing credential exposure in test data), but doesn't address an active security vulnerability.

Diff

diff --git a/inspector/latest/user/sbomgen-plugin-testing-guide.md b/inspector/latest/user/sbomgen-plugin-testing-guide.md
index 2feae21c0..9f4106a76 100644
--- a//inspector/latest/user/sbomgen-plugin-testing-guide.md
+++ b//inspector/latest/user/sbomgen-plugin-testing-guide.md
@@ -307 +307,3 @@ When an assertion fails, the failure is recorded but the test function continues
-  * Each plugin's `_testdata/` should be self-contained — no references to files outside the plugin directory
+  * Each plugin's `_testdata/` should be self-contained — no references to files outside the plugin directory. At runtime, `sbomgen.*` reads are confined to the artifact under inventory, so a plugin that depends on files elsewhere on the host will not work outside `localhost` scans.
+
+  * Use representative, non-sensitive fixtures. Sbomgen does not redact SBOM contents, so never commit real secrets or credentials to `_testdata/`.