terraform-static-analysis.yml

name: Terraform Static Code Analysis

on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
    paths:
      - '**.tf'
      - '.github/workflows/terraform-static-analysis.yml'

permissions:
  contents: read

jobs:
  terraform-static-analysis:
    permissions:
      pull-requests: write
    name: Terraform Static Analysis
    runs-on: ubuntu-latest
    if: github.event_name != 'workflow_dispatch'
    steps:
    - name: Checkout
      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      with:
        fetch-depth: 0
    - name: Run Analysis
      uses: ministryofjustice/github-actions/terraform-static-analysis@7c689fe2de15e1692f5cceceb132919ab854081c # v14
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        scan_type: single
        tfsec_exclude: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group
        checkov_exclude: CKV_GIT_1

  terraform-static-analysis-full-scan:
    permissions:
      pull-requests: write
    name: Terraform Static Analysis - scan all directories
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    steps:
    - name: Checkout
      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
      with:
        fetch-depth: 0
    - name: Run Analysis
      uses: ministryofjustice/github-actions/terraform-static-analysis@7c689fe2de15e1692f5cceceb132919ab854081c # v14
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        scan_type: full
        tfsec_exclude: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group
        checkov_exclude: CKV_GIT_1