AI Audit: Findings and Recommendations

[koxon]

Summary

Two-pass security and quality audit of the aws-lambda-python-local framework by the Backend Developer agent. Focused on execution safety, sandboxing, dependency management, and Python version compatibility.

Deliverables

• FINDINGS.md — Structured findings (3 Critical, 5 High, 7 Medium, 7 Low) plus positive observations
• CLAUDE.md — Enhanced with architecture diagram, data flow documentation, Makefile target reference, known issues, and expanded gotchas

Top Findings

Severity	Count	Highlights
Critical	3	Arbitrary code exec in run.py, secrets in ZIPs, hardcoded AWS account/buckets
High	5	Broken SigV4 manual impl, hardcoded region, Python 3.8 EOL, no sandboxing, open CVE in requests
Medium	7	Broken tests, MockContext makes live AWS calls, env.py import-time dep, shell injection in Makefile
Low	7	Unused imports, style issues, wrong argparse description, missing PATCH method

Key Recommendations

1. Merge Dependabot PR Bump requests from 2.31.0 to 2.32.2 #6 (requests CVE-2024-35195) — open 15+ months
2. Upgrade Lambda runtime from python3.8 to python3.12
3. Migrate secrets from ZIP-bundled env.py to AWS Secrets Manager / SSM Parameter Store
4. Replace manual SigV4 signing with botocore.auth or aws-requests-auth
5. Fix broken test (references src.assets instead of src.example_func)
6. Add input validation to run.py's import_module call

Test plan

• Review FINDINGS.md for accuracy against codebase
• Verify CLAUDE.md architecture diagram matches actual code flow
• Confirm all file paths and line numbers in findings are correct
• Prioritize and create issues for Critical/High findings

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com