This GitHub Action runs Checkov against an Infrastructure-as-Code repository. Checkov performs static security analysis of Terraform & CloudFormation Infrastructure code .
on: [push]
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: example/
file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
log_level: DEBUG # optional: set log level. Default WARNING
config_file: path/this_file
baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issueson: [push]
env:
IMAGE_NAME: ${{ github.repository }}:${{ github.sha }}
IMAGE_PATH: /path/
jobs:
checkov-image-scan:
runs-on: ubuntu-latest
name: checkov-image-scan
steps:
- name: Checkout repo
uses: actions/checkout@master
- name: Build the image
run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }}
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
log_level: DEBUG # optional: set log level. Default WARNING
docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan
dockerfile_path: ${{ format('{0}/Dockerfile', env.IMAGE_PATH) }} # path to the Dockerfile
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secretNote that this example uses the latest version (master) but you could also use a static version (e.g. v3).
Also, the check ids specified for '--check' and '--skip-check' must be mutually exclusive.