Skip to content

Commit

Permalink
Merge pull request #9 from dasmeta/checkov
Browse files Browse the repository at this point in the history 
DMVP-1156: Checkov
  • Loading branch information
@0katrinpetrosyan0
0katrinpetrosyan0 authored Oct 13, 2022
2 parents 7907b2b + 19f2a2d commit 29179ac
Show file tree
Hide file tree
Showing 8 changed files with 385 additions and 0 deletions.
51 changes: 51 additions & 0 deletions checkov/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# GitHub Actions: Run Checkov
GitHub Action for running checkov It is static code analysis tool for scanning infrastructure.

## Usage

This action can be used as follows:

```yaml
- name: Checkov
uses: dasmeta/reusable-actions-workflows/checkov@1.0.0
```
## For Default Configuration in .github/workflows/check.yml you must have:
```yaml
name: Checkov
on:
pull_request:
push:
branches: [main, master]
jobs:
terraform-validate:
runs-on: ubuntu-latest
strategy:
matrix:
path:
- folder1
- folder2
permissions: write-all
steps:
- uses: dasmeta/reusable-actions-workflows/checkov@1.0.0
with:
fetch-depth: 0
directory: modules/${{ matrix.directory }}


```

## Valid INPUTS

`aws-region`
Optional. 'AWS Region, e.g. us-east-2'
`Default: eu-central-1`

`aws-access-key-id:`
Optional. AWS Access Key ID. This input is required if running in the GitHub hosted environment.

`aws-secret-access-key`
Optional. AWS Secret Access Key. This input is required if running in the GitHub hosted environment.

`directory`
Optional. A directory where will run Checkov
46 changes: 46 additions & 0 deletions checkov/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Checkov
description: "Static code analysis tool for scanning infrastructure"
author: Das Meta
branding:
icon: globe
color: purple
inputs:
fetch-depth:
description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
required: false
default: 0
directory:
description: "Path where will run Checkov"
required: false
default: modules/dashboard
runs:
using: "composite"
steps:
- name: Check out code
uses: actions/checkout@v3
with:
fetch-depth: ${{ inputs.fetch-depth }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.2.1

- name: Set up Python 3.8
uses: actions/setup-python@v1
with:
python-version: 3.8

- name: Test with Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ${{ inputs.directory }}
framework: terraform
download_external_modules: true
continue-on-error: true

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
51 changes: 51 additions & 0 deletions terraform-test/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# GitHub Actions: Run Terraform Test
GitHub Action for running terraform test command.

## Usage

This action can be used as follows add latest version:

```yaml
- name: Terraform Test
uses: dasmeta/reusable-actions-workflows/terraform-test@2.0.0
```
## For Default Configuration in .github/workflows/check.yml you must have:
```yaml
name: Terraform Test
on:
pull_request:
push:
branches: [main, master]

jobs:
terraform-validate:
runs-on: ubuntu-latest
strategy:
matrix:
path:
- dashboard
- billing
permissions: write-all
steps:
- uses: dasmeta/reusable-actions-workflows/terraform-test@2.0.0
with:
aws-region: ${{ secrets.AWS_REGION}}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
path: modules/${{ matrix.path }}

```

## Valid INPUTS


`aws-region`
Optional. 'AWS Region, e.g. us-east-2'
`Default: eu-central-1`

`aws-access-key-id:`
Optional. AWS Access Key ID. This input is required if running in the GitHub hosted environment.

`aws-secret-access-key`
Optional. AWS Secret Access Key. This input is required if running in the GitHub hosted environment.
50 changes: 50 additions & 0 deletions terraform-test/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Terraform TEST
description: "terraform tool common flow action to init, test terraform code"
author: Das Meta
branding:
icon: globe
color: purple
inputs:
fetch-depth:
description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
required: false
default: 0
aws-region:
description: "AWS Region, e.g. us-east-2"
required: false
default: eu-central-1
aws-access-key-id:
description: "AWS Access Key ID. This input is required if running in the GitHub hosted environment."
required: false
aws-secret-access-key:
description: "AWS Secret Access Key. This input is required if running in the GitHub hosted environment."
required: false
path:
description: "Path where to run terraform test"
required: false
default: dashboard
runs:
using: "composite"
steps:
- name: Check out code
uses: actions/checkout@v3
with:
fetch-depth: ${{ inputs.fetch-depth }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: ${{ inputs.aws-region }}
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.2.1

- name: Run Terraform Test
run: |
cd ${{ inputs.path }}
terraform test
shell: bash
54 changes: 54 additions & 0 deletions tflint/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# GitHub Actions: Run Tflint
GitHub Action for running tflint.

## Usage

This action can be used as follows add latest version:

```yaml
- name: Tflint
uses: dasmeta/reusable-actions-workflows/tflint@3.0.0
```
## For Default Configuration in .github/workflows/check.yml you must have:
```yaml
name: Tflint
on:
pull_request:
push:
branches: [main, master]

jobs:
terraform-validate:
runs-on: ubuntu-latest
strategy:
matrix:
path:
- dashboard
- billing
permissions: write-all
steps:
- uses: dasmeta/reusable-actions-workflows/tflint@3.0.0
with:
aws-region: ${{ secrets.AWS_REGION}}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
path: modules/${{ matrix.path }}

```

## Valid INPUTS


`aws-region`
Optional. 'AWS Region, e.g. us-east-2'
`Default: eu-central-1`

`aws-access-key-id:`
Optional. AWS Access Key ID. This input is required if running in the GitHub hosted environment.

`aws-secret-access-key`
Optional. AWS Secret Access Key. This input is required if running in the GitHub hosted environment.

`path`
Optional. Add path where will run job.
66 changes: 66 additions & 0 deletions tflint/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Tflint
description: "terraform tool"
author: Das Meta
branding:
icon: globe
color: purple
inputs:
fetch-depth:
description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
required: false
default: 0
path:
description: "Path where will run checkov"
required: false
default: modules/dashboard
aws-region:
description: "AWS Region, e.g. us-east-2"
required: false
default: us-east-1
aws-access-key-id:
description: "AWS Access Key ID. This input is required if running in the GitHub hosted environment."
required: false
aws-secret-access-key:
description: "AWS Secret Access Key. This input is required if running in the GitHub hosted environment."
required: false
github-token:
description: "Path where will run checkov"
required: false
runs:
using: "composite"
steps:
- name: Check out code
uses: actions/checkout@v2
with:
fetch-depth: ${{ inputs.fetch-depth }}

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: ${{ inputs.aws-region }}
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}

- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.2.1

- name: Terraform init
run: |
cd ${{ inputs.path}}
terraform init
- name: Setup TFLint
run: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
- name: Show version
run: tflint --version

- name: Init TFLint
id: tflint
run: |
cd ${{inputs.path}}
tflint
echo tflint --enable-rule=terraform_unused_declarations
shell: bash
continue-on-error: true
37 changes: 37 additions & 0 deletions tfsec/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# GitHub Actions: Run TFSEC
GitHub Action for running terraform tfsec security scanning. It is static analysis security scanner for your Terraform code

## Usage

This action can be used as follows add latest version:

```yaml
- name: TFSEC
uses: dasmeta/reusable-actions-workflows/tfsec@4.0.0
```
## For Default Configuration in .github/workflows/tfsec.yml you must have:
```yaml
name: TFSEC
on:
pull_request:
push:
branches: [main, master]

jobs:
terraform-tfsec:
runs-on: ubuntu-latest
permissions: write-all
steps:
- uses: dasmeta/reusable-actions-workflows/tfsec@4.0.0
with:
fetch-depth: 0

```

## Valid INPUTS

`fetch-depth`
Optional. 'fetch-depth'
`Default: 0`
30 changes: 30 additions & 0 deletions tfsec/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Tfsec
description: "Static analysis security scanner for your Terraform cod"
author: Das Meta
branding:
icon: globe
color: purple
inputs:
fetch-depth:
description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
required: false
default: 0
runs:
using: "composite"
steps:
- name: Check out code
uses: actions/checkout@v2
with:
fetch-depth: ${{ inputs.fetch-depth }}
persist-credentials: false
submodules: recursive

- name: tfsec
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
sarif_file: tfsec.sarif

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif

0 comments on commit 29179ac

Please sign in to comment.