ci: add checkov ci check

aws-games · Jul 11, 2024 · d52237f · d52237f
1 parent 917f4df
commit d52237f
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 8 deletions.
diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
@@ -0,0 +1,27 @@
+name: Checkov
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Checkov GitHub Action
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          output_format: sarif
+          output_file_path: results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,6 +1,10 @@
 name: "CodeQL"
 on:
   workflow_call:
+  push:
+    branches: main
+  pull_request:
+    branches: main
 permissions:
   contents: read
 jobs:

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,11 +1,8 @@
-# Runs security scans 
+# This workflow can be used as needed and is triggered manually to consolidate the security scans.
 
 name: Security
 on:
-  push:
-    branches:
-      - main
-  pull_request:
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -19,3 +16,6 @@ jobs:
   codeql-analysis:
     uses: ./.github/workflows/codeql-analysis.yml
     secrets: inherit
+  checkov:
+    uses: ./.github/workflows/checkov.yml
+    secrets: inherit
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -1,7 +1,9 @@
-# Reusable workflow that scans a repository for vulnerabilities using Trivy and uploads the results to the GitHub Security tab.
-# Triggered by a workflow call event from the Security workflow.
 name: Trivy Scan
 on:
+  push:
+    branches:
+      - main
+  pull_request:
   workflow_call:
 jobs:
   trivy_scan:
@@ -18,7 +20,7 @@ jobs:
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
+          severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3