Skip to content

Secure Code Analysis #177

Secure Code Analysis

Secure Code Analysis #177

Workflow file for this run

name: Secure Code Analysis
on:
schedule:
- cron: '35 1 * * *'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
permissions:
contents: read
jobs:
tflint:
runs-on: '${{ matrix.os }}'
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
os:
- ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
token: '${{ secrets.GITHUB_TOKEN }}'
fetch-depth: 0
- name: Cache plugin dir
uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
with:
path: ~/.tflint.d/plugins
key: '${{ matrix.os }}-tflint-${{ hashFiles(''.tflint.hcl'') }}'
- uses: terraform-linters/setup-tflint@ba6bb2989f94daf58a4cc6eac2c1ca7398a678bf # v3.0.0
name: Setup TFLint
with:
tflint_version: latest
- name: Init TFLint
run: tflint --init
- name: Run TFLint
run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: tflint.sarif
tfsec:
name: tfsec
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Clone repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
token: '${{ secrets.GITHUB_TOKEN }}'
fetch-depth: 0
- name: Run tfsec
uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
with:
additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits'
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: tfsec.sarif
checkov:
name: checkov
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
token: '${{ secrets.GITHUB_TOKEN }}'
fetch-depth: 0
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@f5385a64e12c122a12ede78678ccf4e158f85867 # v12.2151.0
with:
directory: ./
framework: terraform
output_file_path: ./checkov.sarif
output_format: sarif
skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
- name: Upload SARIF file
if: success() || failure()
uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
with:
sarif_file: ./checkov.sarif