Upgrade CI, trivy, remove checkov #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: push | |
name: Terraform CI | |
env: | |
AWS_REGION: us-east-1 | |
jobs: | |
fmt: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_wrapper: false | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
- name: Run Terraform fmt | |
shell: bash --noprofile --norc -exo pipefail {0} | |
run: terraform fmt -check | |
tflint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
- name: Import CI .env file | |
uses: cardinalby/export-env-action@v1 | |
with: | |
envFile: ".github/ci-versions.env" | |
expand: "true" | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_wrapper: false | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
- name: Setup tflint | |
run: | | |
wget https://github.com/terraform-linters/tflint/releases/download/${{ env.TFLINT_VERSION }}/tflint_linux_amd64.zip | |
unzip tflint_linux_amd64.zip | |
chmod +x tflint | |
sudo mv tflint /usr/local/bin/tflint | |
- name: Run tflint | |
run: tflint . | |
tfsec: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
- name: Import CI .env file | |
uses: cardinalby/export-env-action@v1 | |
with: | |
envFile: ".github/ci-versions.env" | |
expand: "true" | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_wrapper: false | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
- name: Run Trivy vulnerability scanner in IaC mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "config" | |
hide-progress: false | |
format: "sarif" | |
output: "trivy-results.sarif" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "trivy-results.sarif" | |
validate: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v3 | |
- name: Import CI .env file | |
uses: cardinalby/export-env-action@v1 | |
with: | |
envFile: ".github/ci-versions.env" | |
expand: "true" | |
- name: Install Terraform | |
uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_wrapper: false | |
terraform_version: ${{ env.TERRAFORM_VERSION }} | |
- name: Validate Terraform code | |
shell: bash --noprofile --norc -exo pipefail {0} | |
run: terraform init && terraform validate |