From dff5d3d65ea71cd36bdca25dc657ebbc927ae5d2 Mon Sep 17 00:00:00 2001 From: Pawan Murarka Date: Tue, 9 Dec 2025 11:16:30 +0530 Subject: [PATCH 1/3] iac security pipeline installation --- .github/workflows/iac-security.yml | 45 ++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/workflows/iac-security.yml diff --git a/.github/workflows/iac-security.yml b/.github/workflows/iac-security.yml new file mode 100644 index 0000000..e45fffe --- /dev/null +++ b/.github/workflows/iac-security.yml @@ -0,0 +1,45 @@ +name: IaC Security Scan + +on: + pull_request: + push: + branches: + - main + +jobs: + # Pull Request Scan (soft-fail) + checkov_pr: + name: Checkov Scan on Pull Request + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Run Checkov (SARIF, soft fail) + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + output_format: sarif + output_file_path: checkov-pr.sarif + soft_fail: true + + - name: Upload SARIF to GitHub Security Dashboard + uses: github/code-scanning-action/upload-sarif@v3 + with: + sarif_file: checkov-pr.sarif + + # Main Branch Scan (strict fail) + checkov_main: + name: Checkov Scan on Main (Strict) + runs-on: ubuntu-latest + if: github.event_name == 'push' && contains(github.ref, 'main') + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Run Checkov (strict) + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + soft_fail: false # ❌ fail CI if issues found From fe24bc0534563681265e6bc66a699deb3914f8be Mon Sep 17 00:00:00 2001 From: Pawan Murarka Date: Tue, 9 Dec 2025 11:19:32 +0530 Subject: [PATCH 2/3] updates iac security scan --- .github/workflows/iac-security.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/iac-security.yml b/.github/workflows/iac-security.yml index e45fffe..6193ac4 100644 --- a/.github/workflows/iac-security.yml +++ b/.github/workflows/iac-security.yml @@ -21,13 +21,13 @@ jobs: with: directory: . output_format: sarif - output_file_path: checkov-pr.sarif + output_file_path: checkov.sarif soft_fail: true - - name: Upload SARIF to GitHub Security Dashboard - uses: github/code-scanning-action/upload-sarif@v3 + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: checkov-pr.sarif + sarif_file: checkov.sarif # Main Branch Scan (strict fail) checkov_main: From 9e83e16f6d50b745a97fff3ff6e993ad06bac5c1 Mon Sep 17 00:00:00 2001 From: Pawan Murarka Date: Tue, 9 Dec 2025 11:24:25 +0530 Subject: [PATCH 3/3] updates secruity comment --- .github/workflows/iac-security.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/iac-security.yml b/.github/workflows/iac-security.yml index 6193ac4..88d4266 100644 --- a/.github/workflows/iac-security.yml +++ b/.github/workflows/iac-security.yml @@ -1,5 +1,10 @@ name: IaC Security Scan +permissions: + contents: read + actions: read + security-events: write + on: pull_request: push: @@ -42,4 +47,4 @@ jobs: uses: bridgecrewio/checkov-action@v12 with: directory: . - soft_fail: false # ❌ fail CI if issues found + soft_fail: false # fail CI if issues found