1919 required : false
2020 checkov_output_quiet :
2121 description : Checkov output to display only failures
22- type : string
22+ type : boolean
2323 default : true
2424 required : false
2525 checkov_download_external_modules :
@@ -90,41 +90,41 @@ jobs:
9090 - ${{ inputs.runner_label }}
9191 steps :
9292 - name : Checkout
93- uses : actions/checkout@v3
93+ uses : actions/checkout@v4
9494 with :
9595 fetch-depth : 1
9696 submodules : ${{ inputs.enable_submodules }}
9797
98- - uses : actions/setup-python@v4
98+ - uses : actions/setup-python@v5
9999 with :
100100 python-version : ' 3.11'
101101
102102 - run : mkdir -p "${TF_PLUGIN_CACHE_DIR}"
103103 - name : Cache Terraform
104- uses : actions/cache@v3
104+ uses : actions/cache@v4
105105 with :
106106 path : ${{ env.TF_PLUGIN_CACHE_DIR }}
107107 key : ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
108108 - name : Cache TFLint plugin dir
109- uses : actions/cache@v3
109+ uses : actions/cache@v4
110110 with :
111111 path : ~/.tflint.d/plugins
112112 key : ${{ runner.os }}-tflint-${{ hashFiles('**/.tflint.hcl') }}
113113
114114 - name : Setup Node only for self-hosted runners
115- uses : actions/setup-node@v3
115+ uses : actions/setup-node@v4
116116 if : ${{ inputs.default_runner_override_label == 'self-hosted' }}
117117 with :
118118 node-version : 18
119119
120120 - name : Setup Terraform
121- uses : hashicorp/setup-terraform@v2
121+ uses : hashicorp/setup-terraform@v3
122122 with :
123123 terraform_version : latest
124124 cli_config_credentials_token : ${{ secrets.TFE_TOKEN }}
125125
126126 - name : Setup Helm
127- uses : azure/setup-helm@v3
127+ uses : azure/setup-helm@v4
128128 with :
129129 version : ' latest'
130130 token : ${{ secrets.GITHUB_TOKEN }}
@@ -172,7 +172,7 @@ jobs:
172172name : precommit run tflint hooks
173173 id : precommit_run_hooks_all
174174 if : inputs.pre_commit_run_all
175- uses : pre-commit/action@v3.0.0
175+ uses : pre-commit/action@v3.0.1
176176 env :
177177 SKIP : ${{ steps.precommit_skips.outputs.skips }}
178178 with :
@@ -188,48 +188,47 @@ jobs:
188188 - ${{ inputs.runner_label }}
189189 steps :
190190 - name : Checkout
191- uses : actions/checkout@v3
191+ uses : actions/checkout@v4
192192 with :
193193 fetch-depth : 1
194194 submodules : ${{ inputs.enable_submodules }}
195195
196- - uses : actions/setup-python@v4
196+ - uses : actions/setup-python@v5
197197 with :
198198 python-version : ' 3.11'
199199
200200 - run : mkdir -p "${TF_PLUGIN_CACHE_DIR}"
201201 - name : Cache Terraform
202- uses : actions/cache@v3
202+ uses : actions/cache@v4
203203 with :
204204 path : ${{ env.TF_PLUGIN_CACHE_DIR }}
205205 key : ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
206206
207207 - name : Setup Terraform
208- uses : hashicorp/setup-terraform@v2
208+ uses : hashicorp/setup-terraform@v3
209209 with :
210210 terraform_version : latest
211211 cli_config_credentials_token : ${{ secrets.TFE_TOKEN }}
212212
213213 - name : Setup Helm
214- uses : azure/setup-helm@v3
214+ uses : azure/setup-helm@v4
215215 with :
216216 version : ' latest'
217- token : ${{ secrets.GITHUB_TOKEN }}
218217
219218 - name : Cache TFlint
220- uses : actions/cache@v3
219+ uses : actions/cache@v4
221220 with :
222221 path : /home/runner/.tflint.d/plugins
223222 key : ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
224223
225224 - name : Setup TFLint
226- uses : terraform-linters/setup-tflint@v2
225+ uses : terraform-linters/setup-tflint@v4
227226 with :
228- tflint_version : " v0.47.0 "
227+ tflint_version : " v0.50.3 "
229228 github_token : ${{ secrets.GITHUB_TOKEN }}
230229
231230 - name : Setup Node only for self-hosted runners
232- uses : actions/setup-node@v3
231+ uses : actions/setup-node@v4
233232 if : ${{ inputs.default_runner_override_label == 'self-hosted' }}
234233 with :
235234 node-version : 19
@@ -241,7 +240,7 @@ jobs:
241240 run : echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> "$GITHUB_ENV"
242241
243242 - name : Cache Pre-commit
244- uses : actions/cache@v3
243+ uses : actions/cache@v4
245244 with :
246245 path : ~/.cache/pre-commit
247246 key : pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
@@ -288,7 +287,7 @@ jobs:
288287name : precommit run tflint hooks
289288 id : precommit_run_hooks_all
290289 if : inputs.pre_commit_run_all
291- uses : pre-commit/action@v3.0.0
290+ uses : pre-commit/action@v3.0.1
292291 continue-on-error : true
293292 env :
294293 SKIP : ${{ steps.precommit_skips.outputs.skips }}
@@ -317,13 +316,13 @@ jobs:
317316 - ${{ inputs.runner_label }}
318317 steps :
319318 - name : Checkout
320- uses : actions/checkout@v3
319+ uses : actions/checkout@v4
321320 with :
322321 fetch-depth : 1
323322 submodules : ${{ inputs.enable_submodules }}
324323
325324 - name : Run Trivy vulnerability scanner in IaC mode
326- uses : aquasecurity/trivy-action@0.12 .0
325+ uses : aquasecurity/trivy-action@0.19 .0
327326 with :
328327 scan-type : ' config'
329328 hide-progress : false
@@ -340,18 +339,29 @@ jobs:
340339 sed -i 's#git::https:/##g' trivy-results.sarif
341340
342341name : Upload Trivy scan results to GitHub Security tab
343- uses : github/codeql-action/upload-sarif@v2
342+ uses : github/codeql-action/upload-sarif@v3
344343 with :
345344 sarif_file : ' trivy-results.sarif'
346345 # if: inputs.upload_sarif == true
347346
347+ - name : Get changed files
348+ id : changed-files
349+ uses : tj-actions/changed-files@v44
350+
348351 - name : Run Checkov action
349352 id : checkov
350353 uses : bridgecrewio/checkov-action@master
351354 with :
352355 output_format : sarif
353356 quiet : ${{ inputs.checkov_output_quiet }}
357+ file : ${{ steps.changed-files.outputs.all_changed_files }}
354358 skip_check : ${{ inputs.checkov_skip_check }}
355359 download_external_modules : ${{ inputs.checkov_download_external_modules }}
356360 skip_path : ${{inputs.checkov_skip_path}}
357361 skip_framework : ${{inputs.checkov_skip_framework}}
362+
363+ - name : Upload Checkov scan results to GitHub Security tab
364+ if : inputs.upload_sarif == true
365+ uses : github/codeql-action/upload-sarif@v3
366+ with :
367+ sarif_file : ' results.sarif'
0 commit comments