fix: resolve terraform validation errors found by pre-commit workflow #155
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [ master ] | |
| pull_request: | |
| branches: [ master ] | |
| schedule: | |
| - cron: '0 0 * * 1' # Weekly on Mondays | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install checkov | |
| run: pip install checkov | |
| - name: Install tfsec | |
| run: | | |
| curl -L https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 -o tfsec | |
| chmod +x tfsec | |
| sudo mv tfsec /usr/local/bin/ | |
| - name: Run checkov | |
| run: | | |
| checkov --config-file .checkov.yml --output cli --output sarif --output-file-path console,checkov-results.sarif | |
| continue-on-error: true | |
| - name: Run tfsec | |
| run: | | |
| tfsec . --format sarif --out tfsec-results.sarif --exclude-path test/ | |
| continue-on-error: true | |
| - name: Upload checkov results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: checkov-results.sarif | |
| category: checkov | |
| - name: Upload tfsec results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: tfsec-results.sarif | |
| category: tfsec | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.24' | |
| - name: Run Go vulnerability scan | |
| run: | | |
| cd test | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| continue-on-error: true | |
| - name: Run Go module security audit | |
| run: | | |
| cd test | |
| go mod verify | |
| go list -m all | grep -v "^$(go list -m)$" | sort | uniq > deps.txt | |
| echo "Checking dependencies for known vulnerabilities..." | |
| cat deps.txt | |
| continue-on-error: true | |
| security-scan-examples: | |
| name: Security Scan Examples | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| example: [ | |
| 'simple_plan', | |
| 'complete_plan', | |
| 'selection_by_tags', | |
| 'selection_by_conditions', | |
| 'simple_plan_with_report', | |
| 'simple_plan_using_variables', | |
| 'simple_plan_using_lock_configuration', | |
| 'simple_plan_windows_vss_backup', | |
| 'organization_backup_policy', | |
| 'multiple_plans', | |
| 'aws_recommended_audit_framework', | |
| 'complete_audit_framework', | |
| 'simple_audit_framework', | |
| 'secure_backup_configuration' | |
| ] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install checkov | |
| run: pip install checkov | |
| - name: Install tfsec | |
| run: | | |
| curl -L https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 -o tfsec | |
| chmod +x tfsec | |
| sudo mv tfsec /usr/local/bin/ | |
| - name: Run checkov on example | |
| run: | | |
| if [ -d "examples/${{ matrix.example }}" ]; then | |
| checkov -d examples/${{ matrix.example }} --framework terraform --output cli | |
| fi | |
| continue-on-error: true | |
| - name: Run tfsec on example | |
| run: | | |
| if [ -d "examples/${{ matrix.example }}" ]; then | |
| tfsec examples/${{ matrix.example }} --format default | |
| fi | |
| continue-on-error: true |