This repository contains reusable Github Actions workflow files.
This is a reusable workflow for SAST scanning source code and artifacts. This is a mandatory requirement for all Core Cloud repositories. If you require implementation assistance or have any additional questions, please reach out to Team Sauron.
There are 2 Checkov reusable workflow files that your workflow can use. NOTE: These are for informational purposes only.
- checkov-scan-base.yaml - For scanning compatible source code at rest.
- checkov-scan-tfplan.yaml - Only to be used for scanning Terraform plan files.
The simplest config to use is:
name: Checkov SAST Scan
on:
workflow_call:
permissions:
contents: read
id-token: write
actions: read
security-events: write
jobs:
checkov-scan:
uses: UKHomeOffice/core-cloud-workflow-checkov-sast-scan/.github/workflows/checkov-scan-base.yaml@1.0.0
Add the above config into the following directory in your repository .github/workflow/checkov-scan-tfplan.yaml, or build into your own workflow logic if more complex. For scanning Terraform Plan files as well, please use:
name: "Checkov SAST Scan for Terraform .tfplan files as well as source code"
on:
workflow_dispatch:
push:
branches:
- '*'
paths:
- ./**
pull_request:
branches:
- main
types:
- opened
- synchronize
paths:
- ./**
permissions:
contents: read
id-token: write
actions: read
security-events: write
jobs:
sast-checkov-scan-plan:
uses: UKHomeOffice/core-cloud-workflow-checkov-sast-scan/.github/workflows/checkov-scan-tfplan.yaml@1.0.0
with:
# Optional inputs depending on code structure
path: 'e.g. terraform/environment/sandbox-ops-tooling'
env_name: 'e.g. sandbox-ops-tooling'
plan_role: '<role with permissions for generating a plan>'
# Github secret containing the AWS Account ID.
secrets:
account_id: ${{ e.g secrets.corecloud_sandbox_ops_tooling_account_id }}