Skip to content
Terraform Static Code Analysis

Move RAM association job to reusable workflow and switch secrets source to AWS Secrets Manager #12624

Sign in to view logs

Move RAM association job to reusable workflow and switch secrets source to AWS Secrets Manager

Move RAM association job to reusable workflow and switch secrets source to AWS Secrets Manager #12624

Workflow file for this run

.github/workflows/terraform-static-analysis.yml at b41034d
name: Terraform Static Code Analysis
on:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: "0 7 * * 1-5"
workflow_dispatch:
pull_request:
branches:
- main
permissions:
contents: read
jobs:
terraform-static-analysis:
permissions:
pull-requests: write
name: Terraform Static Analysis
runs-on: ubuntu-latest
if: github.event_name != 'workflow_dispatch' && github.event_name != 'schedule'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: changed
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
tfsec_trivy: trivy
use_trivy_ecr_database: true
terraform-static-analysis-full-scan:
permissions:
contents: read
actions: read
security-events: write
pull-requests: write
name: Terraform Static Analysis - scan all directories
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_skip_dir: ""
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
use_trivy_ecr_database: true
terraform-static-analysis-scheduled-scan:
name: Terraform Static Analysis - scheduled scan of all directories
runs-on: ubuntu-latest
if: github.event_name == 'schedule'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Analysis
uses: ministryofjustice/github-actions/terraform-static-analysis@db1a54895bf5fb975c60af47e5a3aab96505ca3e # v18.6.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_type: full
tfsec_trivy: trivy
trivy_severity: HIGH,CRITICAL
trivy_ignore: ./.trivyignore.yaml
tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
tflint_exclude: terraform_unused_declarations
tflint_call_module_type: none
use_trivy_ecr_database: true
- name: Slack failure notification
uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
with:
webhook-type: incoming-webhook
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
if: ${{ failure() }}