-
Notifications
You must be signed in to change notification settings - Fork 15
127 lines (110 loc) · 4.17 KB
/
checkov.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#
# Author: Hari Sekhon
# Date: Wed Jan 19 18:22:02 2022 +0000
#
# vim:ts=2:sts=2:sw=2:et
#
# https://github.com/HariSekhon/GitHub-Actions
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# C h e c k o v G i t H u b W o r k f l o w
# ============================================================================ #
# Static analysis of Terraform code - publishes report to GitHub Security tab
# https://github.com/bridgecrewio/checkov-action
---
name: Checkov
on: # yamllint disable-line rule:truthy
push:
branches:
- master
- main
paths-ignore:
- '**/README.md'
pull_request:
branches:
- master
- main
paths-ignore:
- '**/README.md'
workflow_call:
inputs:
framework:
type: string
default: all
required: false
debug:
type: string
required: false
default: false
workflow_dispatch:
inputs:
debug:
type: boolean
required: false
default: false
schedule:
- cron: '0 0 * * 1'
permissions:
actions: read
contents: read
security-events: write
defaults:
run:
shell: bash -euxo pipefail {0}
env:
DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }}
jobs:
checkov:
name: Checkov Scan
runs-on: ubuntu-latest
# Skip any PR created by dependabot to avoid permission issues
# github.event.repository.fork isn't available in scheduled workflows
# can't prevent forks of this repo, because also prevents caller workflows
if: github.actor != 'dependabot[bot]'
steps:
- name: Generate LOG_LEVEL environment variable
run: |
if [ -n "$DEBUG" ]; then
echo "LOG_LEVEL=DEBUG" >> "$GITHUB_ENV"
else
echo "LOG_LEVEL=WARNING" >> "$GITHUB_ENV"
fi
- name: Environment
run: env | sort
- name: Set up Python 3.13
uses: actions/setup-python@v1
with:
python-version: 3.13.2
- name: Git version
run: git --version
- uses: actions/checkout@v3
with:
submodules: recursive # requires Git 2.18+ to be installed first
- name: Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
#check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
#skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
#framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
framework: ${{ inputs.framework }}
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
compact: true # avoids output length related errors like "An error occurred trying to start process '/home/runner/runners/2.294.0/externals/node12/bin/node' with working directory '/home/runner/work/terraform/terraform'. Argument list too long"
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
#log_level: DEBUG # optional: set log level. Default WARNING
log_level: ${{ env.LOG_LEVEL }}
#config_file: path/this_file # using .checkov.yaml at root of each repo by default
#baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
#container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif