Aws/securityhub Findings

@webframp/aws/securityhub-findingsv2026.05.28.1· 3d agoMODELS·WORKFLOWS·REPORTS

01README

Query and manage AWS Security Hub findings from a delegated administrator account. Leverages cross-region aggregation to cover the entire AWS Organization in a single API call.

Complements (does NOT duplicate) the upstream @swamp/aws/securityhub extension which manages Security Hub infrastructure (hubs, rules, policies, controls). This extension focuses on the findings operational lifecycle: query, triage, archive, resolve, and reopen.

Authentication

Uses the default AWS credential chain. Point at the delegated admin account (e.g. via AWS_PROFILE) to query findings across all member accounts.

Required IAM Permissions

securityhub:GetFindings (read)
securityhub:BatchUpdateFindings (write — for archive/resolve/reopen)

Usage

# Create model (pointed at delegated admin account)
AWS_PROFILE="jw-cd-security-tooling/ReadOnlyPlus" \
  swamp model create @webframp/aws/securityhub-findings sh-findings --global-arg region=us-east-1

# List all findings from last 24h
swamp model method run sh-findings list_findings --input startTime=24h

# List only HIGH severity GuardDuty findings
swamp model method run sh-findings list_findings --input productName=GuardDuty --input severityLabel=HIGH

# Get severity summary across org
swamp model method run sh-findings get_severity_summary --input startTime=7d

# Archive false positives
swamp model method run sh-findings archive_findings \
  --input 'findingArns=["arn:aws:securityhub:..."]' \
  --input 'note=Known EKS deployment pattern, suppressing'

# Resolve findings
swamp model method run sh-findings resolve_findings \
  --input 'findingArns=["arn:aws:securityhub:..."]' \
  --input 'note=Remediated by disabling public access'

Methods

list_findings - Query findings with filters for product, severity, account, time
get_finding_details - Get full ASFF details for specific finding ARNs
get_severity_summary - Aggregate findings by severity across all accounts
archive_findings - Suppress findings (false positive / expected behavior)
resolve_findings - Mark findings as resolved
reopen_findings - Reopen previously archived/resolved findings

02Models1

@webframp/aws/securityhub-findingsv2026.05.28.1aws/securityhub_findings.ts

fn list_findings()

List Security Hub findings with filters for product, severity, account, and time window

fn get_finding_details()

Get full ASFF details for specific findings by ARN

fn get_severity_summary()

Aggregate findings by severity across all accounts in the organization

fn archive_findings()

Suppress findings (mark as false positive or expected behavior). Sets Workflow.Status to SUPPRESSED with a required note.

fn resolve_findings()

Mark findings as resolved. Sets Workflow.Status to RESOLVED with a required note.

fn reopen_findings()

Reopen previously archived or resolved findings. Sets Workflow.Status to NEW with a required note.

fn list_findings_by_type()

List findings grouped by finding type with severity breakdown per group

fn diff_findings()

Compare current findings with the previous run to identify new and resolved findings

fn resolve_accounts()

Fetch AWS Organizations account list to map account IDs to friendly names

fn list_all_findings()

Paginated full export of findings (up to 500). Fetches multiple pages internally.

Resources

finding_list(30m)— List of Security Hub finding summaries

finding_details(1h)— Full ASFF finding details

severity_summary(30m)— Severity aggregation across accounts

update_result(1h)— Result of a findings workflow status update

findings_by_type(30m)— Findings grouped by finding type

diff_findings(1h)— New and resolved findings since last run

account_map(24h)— AWS Organizations account ID to name mapping

full_export(1h)— Paginated full findings export

03Workflows1

@webframp/securityhub-triage74349b0e-bd34-4ffa-ad2f-b5b1c0baad6a

On-demand Security Hub findings triage workflow. Collects severity summary, critical/high findings, and diff since last run from a single Security Hub delegated admin model instance. Usage: AWS_PROFILE="jw-cd-security-tooling/ReadOnlyPlus" \ swamp workflow run securityhub-triage --input modelName=sh-findings # Custom time window: AWS_PROFILE="jw-cd-security-tooling/ReadOnlyPlus" \ swamp workflow run securityhub-triage --input modelName=sh-findings --input startTime=7d

collectCollect findings data from Security Hub

1.severity_summary${{ inputs.modelName }}.get_severity_summary— Get severity counts across all accounts

2.critical_findings${{ inputs.modelName }}.list_findings— List CRITICAL severity findings

3.high_findings${{ inputs.modelName }}.list_findings— List HIGH severity findings

4.diff_findings${{ inputs.modelName }}.diff_findings— Identify new and resolved findings since last run

5.by_type${{ inputs.modelName }}.list_findings_by_type— Group findings by type for pattern analysis

04Reports1

@webframp/securityhub-triage-reportworkflow

security_findings_triage.ts

Aggregates Security Hub triage workflow data into an actionable summary

securitytriagefindings

05Previous Versions3

2026.05.27.4May 27, 2026

Added 1 workflows. Added 1 reports

2026.05.27.2May 27, 2026

Modified 1 models

2026.05.27.1May 27, 2026

06Stats

100 / 100

Downloads

Archive size

410.7 KB

Has README or module doc2/2earned
README has a code example1/1earned
README is substantive1/1earned
Most symbols documented1/1earned
No slow types1/1earned
Dependencies pass trust audit2/2earned
Has description1/1earned
Platform support declared (or universal)2/2earned
License declared1/1earned
Verified public repository2/2earned

Repository

https://github.com/webframp/swamp-extensions

07Platforms

linux · x86_64 linux · aarch64 macOS · x86_64 macOS · aarch64

08Labels

#aws #securityhub #security #findings #compliance #incident-response