forked from AErmie/DevSecOps
-
Notifications
You must be signed in to change notification settings - Fork 0
62 lines (56 loc) · 2.92 KB
/
bridgecrew-checkov-workflow.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: INFRA - IaC - BridgeCrew Checkov
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Checkov IaC Scanner
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ./terraform/azure
# check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
# skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: false # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: cli # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
log_level: WARNING # optional: set log level. Default WARNING
# config_file: path/this_file
# baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
# container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF: ${{ github.ref }}
GITHUB_SHA: ${{ github.sha }}
#GITHUB_SERVER_URL: $GITHUB_SERVER_URL
- name: Generate SARIF Report
uses: bridgecrewio/checkov-action@master
if: ${{ success() || failure() }}
with:
directory: ./terraform/azure
quiet: true # optional: display only failed checks
soft_fail: false # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
log_level: WARNING # optional: set log level. Default WARNING
env:
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REF: ${{ github.ref }}
GITHUB_SHA: ${{ github.sha }}
- name: Publish Workflow Artifact
if: ${{ always() }}
uses: actions/upload-artifact@v2
with:
name: SARIF results
path: results.sarif
- name: Upload Checkov scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: ${{ always() }}
with:
sarif_file: results.sarif