Skip to content

Bump actions/checkout from 4.2.0 to 4.2.1 #73

Bump actions/checkout from 4.2.0 to 4.2.1

Bump actions/checkout from 4.2.0 to 4.2.1 #73

name: Terraform Static Code Analysis
on:
workflow_dispatch:
pull_request:
branches:
- main
paths:
- '**.tf'
- '.github/workflows/terraform-static-analysis.yml'
permissions:
contents: read
jobs:
terraform-static-analysis:
permissions:
pull-requests: write
name: Terraform Static Analysis
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@63d84d475bc20877f741d768dd9c2d89af51170d # v18.2.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: changed
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
tfsec_trivy: trivy
terraform-static-analysis-full-scan:
permissions:
contents: read
actions: read
security-events: write
pull-requests: write
name: Terraform Static Analysis - scan all directories
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@63d84d475bc20877f741d768dd9c2d89af51170d # v18.2.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_skip_dir: ""
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none