Skip to content

Commit

Permalink
ci: synced file(s) with honestbank/.github
Browse files Browse the repository at this point in the history
  • Loading branch information
honestbank-bot committed Dec 11, 2024
1 parent 33f7582 commit ebc05b2
Show file tree
Hide file tree
Showing 5 changed files with 130 additions and 3 deletions.
34 changes: 34 additions & 0 deletions .github/workflows/checkov.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: "Checkov GitHub Action"
permissions: read-all

on:
pull_request:
branches: [test, dev, qa, prod, main]

jobs:
checkov:
name: checkov
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: "recursive"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create empty baseline (if needed)
run: |
if [ -f .checkov.baseline ]; then
echo "⏩⏩⏩ Baseline file exists - do nothing."
else
echo "🆕🆕🆕 Baseline file does not exist - creating empty baseline file."
echo "{}" >> .checkov.baseline
fi
- name: Output baseline contents to console
run: |
echo "Checkov baseline file (.checkov.baseline) contents:"
cat .checkov.baseline
- name: Run Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
config_file: ".checkov.yaml"
6 changes: 3 additions & 3 deletions .github/workflows/semantic-pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# Use this workflow for public repos, since public repos cannot access our internal
# workflows repo.
---
name: repository-semantic-pr
name: public-semantic-pr
permissions:
contents: write
pull-requests: write
Expand All @@ -18,8 +18,8 @@ on:
- synchronize

jobs:
repository-semantic-pr:
name: repository-semantic-pr
public-semantic-pr:
name: public-semantic-pr
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v4
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/terraform.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: "Terraform GitHub Action"

Check failure on line 1 in .github/workflows/terraform.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"

Check failure on line 1 in .github/workflows/terraform.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
on:
pull_request:
# This workflow is meant for public Terraform module repositories
# which are generally component modules that follow trunk-based development.
branches: [main]
jobs:
terraform:
name: "terraform"
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: "recursive"
- name: Set up Terraform
uses: hashicorp/setup-terraform@v3
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
- name: Terraform Format
id: fmt
run: terraform fmt
continue-on-error: true
- name: Terraform Init
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
run: terraform plan -no-color
continue-on-error: true
30 changes: 30 additions & 0 deletions .github/workflows/terratest.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Terratest GitHub Action"

Check failure on line 1 in .github/workflows/terratest.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"

Check failure on line 1 in .github/workflows/terratest.yaml

View workflow job for this annotation

GitHub Actions / checkov

CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
on:
pull_request:
branches: [test, dev, qa, prod, main]
push:
branches: [test, dev, qa, prod, main]
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRATEST_AWS_ACCESS_KEY_ID }}
AWS_SECRET_KEY: ${{ secrets.TERRATEST_AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
AWS_REGION: ${{ secrets.TERRATEST_AWS_REGION }}
jobs:
terratest:
name: terratest
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.20
id: go
- name: Run 'go test -v -timeout 60m'
run: |
cd test
go mod download
go test -v -timeout 30m
30 changes: 30 additions & 0 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
name: Trivy Security Scan

# permissions required for the action, restricting to read-only for repository contents.
permissions:
contents: read

on:
pull_request:
branches:
- main

jobs:
trivy-security-scan:
name: Run Trivy Security Scan
runs-on: ubuntu-latest

steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
submodules: "recursive" # Ensure any submodules are included in the scan.
token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}

# Run Trivy Configuration Scan with specified options.
- name: Run Trivy Security Scan
uses: aquasecurity/[email protected]
with:
scan-type: 'config'
trivy-config: 'trivy.yaml'

0 comments on commit ebc05b2

Please sign in to comment.