Skip to content

Commit

Permalink
Merge pull request #19 from ministryofjustice/feature/security-improv…
Browse files Browse the repository at this point in the history
…ements

Github actions security improvements
  • Loading branch information
dms1981 authored Nov 28, 2022
2 parents caa3b1f + 5c62c60 commit ac27b7a
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 36 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/format-code.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,19 @@
name: "Format Code: ensure code formatting guidelines are met"
on:
pull_request:
types: [opened, edited, reopened, synchronize]

permissions: {}

jobs:
format-code:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
- uses: ministryofjustice/github-actions/code-formatter@d75b4f388fca7537704ddd69c431258518e774e4 # v7
- uses: ministryofjustice/github-actions/code-formatter@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8
with:
ignore-files: "README.md"
ignore-files: "README.md"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
45 changes: 11 additions & 34 deletions .github/workflows/terraform-static-analysis.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,6 @@
name: Terraform Static Code Analysis

on:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 7 * * 1-5'
workflow_dispatch:
pull_request:
branches:
Expand All @@ -12,18 +9,23 @@ on:
- '**.tf'
- '.github/workflows/terraform-static-analysis.yml'

permissions:
contents: read

jobs:
terraform-static-analysis:
permissions:
pull-requests: write
name: Terraform Static Analysis
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
if: github.event_name != 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@main
uses: ministryofjustice/github-actions/terraform-static-analysis@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand All @@ -32,6 +34,8 @@ jobs:
checkov_exclude: CKV_GIT_1

terraform-static-analysis-full-scan:
permissions:
pull-requests: write
name: Terraform Static Analysis - scan all directories
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
Expand All @@ -41,37 +45,10 @@ jobs:
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_exclude: AWS089, AWS099, AWS009
checkov_exclude: CKV_GIT_1, CKV_AWS_23, CKV_AWS_261, CKV_AWS_150

terraform-static-analysis-scheduled-scan:
name: Terraform Static Analysis - scheduled scan of all directories
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@main
uses: ministryofjustice/github-actions/terraform-static-analysis@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
checkov_exclude: CKV_GIT_1, CKV_AWS_23, CKV_AWS_261, CKV_AWS_150
- uses: 8398a7/action-slack@a189acbf0b7ea434558662ae25a0de71df69a435 # v3.14.0
name: Slack failure notification
with:
job_name: Terraform Static Analysis - scheduled scan of all directories
status: ${{ job.status }}
fields: workflow,job,repo,commit,message
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
if: ${{ failure() }}
checkov_exclude: CKV_GIT_1

0 comments on commit ac27b7a

Please sign in to comment.