From 8a3dc75444c983d122f3e64dcbe767d7bd3a71b8 Mon Sep 17 00:00:00 2001
From: Kyle Somers <17753062+kylesomers@users.noreply.github.com>
Date: Thu, 11 Jul 2024 00:44:02 -0500
Subject: [PATCH] ci: add checkov (#140)

---
 .github/workflows/checkov.yml         | 27 +++++++++++++++++++++++++++
 .github/workflows/codeql-analysis.yml |  4 ++++
 .github/workflows/security.yml        | 10 +++++-----
 .github/workflows/trivy.yml           |  8 +++++---
 4 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/checkov.yml

diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
new file mode 100644
index 0000000..4b74fc1
--- /dev/null
+++ b/.github/workflows/checkov.yml
@@ -0,0 +1,27 @@
+name: Checkov
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Checkov GitHub Action
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          output_format: sarif
+          output_file_path: results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 2a6eb36..fdae991 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,6 +1,10 @@
 name: "CodeQL"
 on:
   workflow_call:
+  push:
+    branches: main
+  pull_request:
+    branches: main
 permissions:
   contents: read
 jobs:
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 87e44ff..b004563 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -1,11 +1,8 @@
-# Runs security scans 
+# This workflow can be used as needed and is triggered manually to consolidate the security scans.
 
 name: Security
 on:
-  push:
-    branches:
-      - main
-  pull_request:
+  workflow_dispatch:
 
 permissions:
   contents: read
@@ -19,3 +16,6 @@ jobs:
   codeql-analysis:
     uses: ./.github/workflows/codeql-analysis.yml
     secrets: inherit
+  checkov:
+    uses: ./.github/workflows/checkov.yml
+    secrets: inherit
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index aa4dad7..217aa22 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,7 +1,9 @@
-# Reusable workflow that scans a repository for vulnerabilities using Trivy and uploads the results to the GitHub Security tab.
-# Triggered by a workflow call event from the Security workflow.
 name: Trivy Scan
 on:
+  push:
+    branches:
+      - main
+  pull_request:
   workflow_call:
 jobs:
   trivy_scan:
@@ -18,7 +20,7 @@ jobs:
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
+          severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3