Skip to content
Terraform Static Code Analysis

GitHub Actions Code Formatter workflow #11042

Sign in to view logs

GitHub Actions Code Formatter workflow

GitHub Actions Code Formatter workflow #11042

Workflow file for this run

.github/workflows/terraform-static-analysis.yml at 01b2a88
name: Terraform Static Code Analysis
on:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: "0 7 * * 1-5"
workflow_dispatch:
pull_request:
branches:
- main
permissions:
contents: read
jobs:
terraform-static-analysis:
permissions:
pull-requests: write
name: Terraform Static Analysis
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@9fc6d8a5d34d3ea803d123ced4f24d9e26751c66 # v18.1.4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: changed
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
tfsec_trivy: trivy
terraform-static-analysis-full-scan:
permissions:
contents: read
actions: read
security-events: write
pull-requests: write
name: Terraform Static Analysis - scan all directories
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@9fc6d8a5d34d3ea803d123ced4f24d9e26751c66 # v18.1.4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_skip_dir: ""
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
terraform-static-analysis-scheduled-scan:
name: Terraform Static Analysis - scheduled scan of all directories
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@9fc6d8a5d34d3ea803d123ced4f24d9e26751c66 # v18.1.4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
- name: Slack failure notification
uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}