# Full-repository security review pilot (worksheet)

Use alongside [AWS Security Agent: full repository code review](https://www.factualminds.com/blog/aws-security-agent-full-repository-code-review/) after you enable the capability in the AWS Security Agent console. Treat this as a governance and exit-criteria checklist—not a substitute for [CI/CD threat modeling](/blog/aws-cicd-appsec-pipeline-threat-model/).

## Before you connect a repo

- [ ] **Legal / IP** — Repo owner signed off on uploading or analyzing code under your org’s acceptable-use and vendor-DPA terms.
- [ ] **Secrets hygiene** — `.env`, keys, and private URLs scrubbed or blocked from analysis scope; see [GitHub Actions CI/CD security](/blog/github-actions-aws-cicd-security-best-practices/).
- [ ] **Scope** — Single service or bounded monorepo slice for the pilot (not “every line of every product” on day one).

## Pilot design

- [ ] **Baseline** — Document current SAST/dependency scanning ([vulnerability management](/blog/aws-vulnerability-management-program-cvss-kev-prioritization/), [Inspector posture](/blog/amazon-inspector-v2-container-lambda/)) so you can classify *new* systemic findings.
- [ ] **Owner** — App sec or platform engineering triage lead with authority to file tickets and request architecture changes.
- [ ] **SLA** — Time box: e.g. review top N findings within 2 weeks; escalate cross-cutting issues to [architecture review](/services/aws-architecture-review/) backlog.

## Exit criteria (pilot success)

- [ ] Every **critical** finding has an owner, due date, and link to remediation (code or config).
- [ ] **False positive** rate sampled on a random 10% subset; tuning rules or feedback loop documented.
- [ ] **IAM and trust boundaries** from findings reconciled with [IAM least privilege](/blog/aws-iam-best-practices-least-privilege-access-control/) baselines.
- [ ] Outcome brief shared with security + engineering leads; decision to expand, narrow, or defer documented.

## Integration hooks

- [ ] Findings that represent policy violations feed [Security Hub](/blog/how-to-set-up-aws-security-hub-compliance-monitoring/) or your existing aggregator.
- [ ] Recurring classes of issues mapped to [proactive remediation](/blog/from-reactive-to-proactive-automating-aws-security-remediation/) runbooks where applicable.