Add statics analysis Github action

See https://www.checkov.io/5.Policy%20Index/all.html for details of checks disabled. CKV_TF_1 check skipped due to module being used from Terraform module repository. At this time not going to make any changes but should revisit this check another time. bridgecrewio/checkov#5286 CKV_AWS_274 check skipped, also will not make changes but will revisist after team discussion.
ministryofjustice · Aug 14, 2023 · c2a5871 · c2a5871
1 parent 13a0aba
commit c2a5871
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml
@@ -0,0 +1,31 @@
+name: Terraform static code analysis
+
+on:
+  pull_request:
+    branches:
+      - "main"
+  push:
+    branches:
+      - "*"
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+    terraform-static-analysis:
+      name: Terraform Static Analysis
+      runs-on: ubuntu-latest
+      steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Run Analysis
+        uses: ministryofjustice/github-actions/terraform-static-analysis@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          scan_type: full
+          checkov_exclude: "CKV_TF_1,CKV_AWS_274"
+          checkov_external_modules: true