diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 0e9b0a4..0501e53 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -11,4 +11,4 @@ jobs: changelog-automation: uses: ./.github/workflows/changelog-automation.yml secrets: - BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }} + BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}" diff --git a/.github/workflows/pr-valid.yml b/.github/workflows/pr-valid.yml index 32894d0..e74ff2b 100644 --- a/.github/workflows/pr-valid.yml +++ b/.github/workflows/pr-valid.yml @@ -21,4 +21,4 @@ jobs: pr-validation: uses: ./.github/workflows/pr-validation.yml secrets: - BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }} + BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}" diff --git a/.github/workflows/terraform-analyse/action.yml b/.github/workflows/terraform-analyse/action.yml new file mode 100644 index 0000000..5badc72 --- /dev/null +++ b/.github/workflows/terraform-analyse/action.yml @@ -0,0 +1,50 @@ +--- + +name: 'Terraform Analyse' +description: 'analyse terraform code' +inputs: + tfdir: + description: 'Directory to scan' + required: true + default: '.' + mondoo_service_account: + description: 'Mondoo service account bas64 encoded' + required: true + default: '' +outputs: {} +runs: + using: "composite" + steps: + - name: mondoo terraform hcl scan + uses: mondoohq/actions/terraform-hcl@v11.0.0 + if: always() + env: + MONDOO_CONFIG_BASE64: ${{ inputs.mondoo_service_account }} + with: + path: ${{ inputs.tfdir }} + output: 'summary' + + - name: kics scan + uses: checkmarx/kics-github-action@v2 + if: always() + with: + path: ${{ inputs.tfdir }} + output_formats: "json" + + - name: trivy scan + uses: aquasecurity/trivy-action@master + if: always() + with: + scan-type: 'fs' + scan-ref: ${{ inputs.tfdir }} + scanners: 'vuln,misconfig' + format: 'table' + + - name: checkov scan + uses: bridgecrewio/checkov-action@v12 + if: always() + with: + directory: ${{ inputs.tfdir }} + output_format: cli,sarif + quiet: false + skip_path: 'policies' # incorrect hcl handling in checkov diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml new file mode 100644 index 0000000..1a0ed5e --- /dev/null +++ b/.github/workflows/terratest.yml @@ -0,0 +1,32 @@ +--- +name: Analyze Terraform + +on: + workflow_call: + inputs: + tfdir: + description: 'Terraform directory to analyze' + required: true + default: '.' + type: string + +jobs: + + terratest: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check if ${{ inputs.tfdir }} changed + id: detect + uses: tj-actions/changed-files@v44 + with: + path: ${{ inputs.tfdir }} + + - name: Run Terratest + uses: cloudposse/github-action-terratest@main + if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch' + with: + sourceDir: ${{ inputs.tfdir }} diff --git a/.github/workflows/tf-analyise.yml b/.github/workflows/tf-analyise.yml new file mode 100644 index 0000000..670a095 --- /dev/null +++ b/.github/workflows/tf-analyise.yml @@ -0,0 +1,36 @@ +--- +name: Analyze Terraform + +on: + workflow_call: + inputs: + tfdir: + description: 'Terraform directory to analyze' + required: true + default: '.' + type: string + secrets: + MONDOO_SERVICE_ACCOUNT: + description: 'Mondoo Service Account' + required: true +jobs: + + analyze_tf: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check if ${{ inputs.tfdir }} changed + id: detect + uses: tj-actions/changed-files@v44 + with: + path: ${{ inputs.tfdir }} + + - name: run terraform anlysis + if: ( steps.detect.outputs.all_changed_files != '' && always() ) || ( github.event_name == 'workflow_dispatch' && always() ) + uses: ./.github/workflows/terraform-analyse + with: + tfdir: ${{ inputs.tfdir }} + mondoo_service_account: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}