Terraform Security Scan #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Security Scan | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - "**.tf" | |
| - "**.tfvars" | |
| - "**.py" | |
| - "**.yml" # WIP: Workaround while debugging | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - "**.tf" | |
| - "**.tfvars" | |
| schedule: | |
| - cron: "0 0 * * 0" # Run weekly on Sunday | |
| permissions: write-all | |
| jobs: | |
| security-scan: | |
| name: Infrastructure-as-Code Security Scan | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.10.2" | |
| - name: Terraform init | |
| run: cd infra; terraform init | |
| - name: Run Terrascan | |
| uses: tenable/[email protected] | |
| with: | |
| iac_dir: "infra" | |
| iac_type: "terraform" | |
| iac_version: "v14" | |
| policy_type: "aws" | |
| only_warn: true | |
| sarif_upload: true | |
| non_recursive: true | |
| continue-on-error: true | |
| - name: Run tfsec | |
| uses: aquasecurity/[email protected] | |
| with: | |
| working_directory: infra | |
| sarif_file: tfsec.sarif | |
| continue-on-error: true | |
| - name: Run Checkov scan | |
| id: checkov | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| directory: infra | |
| framework: terraform | |
| output_format: sarif | |
| output_file_path: . | |
| skip_check: CKV_AWS_1,CKV_AWS_2 # Add checks to skip if needed | |
| continue-on-error: true | |
| # - name: Upload Checkov SARIF report | |
| # if: success() || failure() | |
| # uses: github/codeql-action/upload-sarif@v3 | |
| # with: | |
| # sarif_file: results_sarif.sarif | |
| # wait-for-processing: true | |
| # category: checkov | |
| - name: Build Severity Mapper container | |
| run: docker build -t checkov-severity-mapper -f mapper/Dockerfile mapper/ | |
| - name: Run Severity Calibration | |
| run: | | |
| docker run --rm -v $(pwd):/data/ checkov-severity-mapper | |
| - name: Upload calibrated Checkov SARIF report | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: checkov_findings_high_critical.sarif | |
| wait-for-processing: true | |
| category: checkov | |
| - name: Upload Terrascan SARIF report | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: terrascan.sarif | |
| wait-for-processing: true | |
| category: terrascan | |
| - name: Upload tfsec SARIF report | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: tfsec.sarif | |
| wait-for-processing: true | |
| category: tfsec | |
| - name: Upload Reports | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: infra-scan-results | |
| path: ./*.sarif | |
| check-dependabot-alerts: | |
| name: Code Dependencies Scan | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Check for Dependabot Alerts | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GH_PAT }} | |
| script: | | |
| const alerts = await github.rest.dependabot.listAlertsForRepo({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| headers: { | |
| 'Accept': 'application/vnd.github+json' | |
| } | |
| }); | |
| if (alerts.data.length > 0) { | |
| console.error(`Found ${alerts.data.length} open Dependabot alerts:`); | |
| alerts.data.forEach(alert => { | |
| console.error(`- Severity: ${alert.security_advisory.severity}`); | |
| console.error(` Summary: ${alert.security_advisory.summary}`); | |
| console.error(` Package: ${alert.dependency.package.name}`); | |
| }); | |
| // Explicitly fail the workflow | |
| core.setFailed(`${alerts.data.length} open Dependabot alerts found`); | |
| } | |
| owasp: | |
| name: Web Security Scan | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Start Web Application | |
| run: | | |
| docker compose -f web-app/docker-compose.yml up -d | |
| - name: Create reports directory | |
| run: | | |
| mkdir -p reports | |
| chmod -R 777 reports | |
| - name: ZAP Automation Framework Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| plan: '.github/workflows/zap/plan.yml' # Path to the automation framework plan | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:stable' # Optional: specify ZAP Docker image | |
| - name: Fix SARIF URIs | |
| if: always() | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y jq | |
| # Convert http URLs to file URLs and update the SARIF file | |
| jq '.runs[].results[].locations[].physicalLocation.artifactLocation.uri |= "file://" + .' reports/zap-scan-report.json > reports/zap-scan-report.sarif | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: reports/zap-scan-report.sarif | |
| - name: Stop Web Application | |
| if: always() | |
| run: docker compose -f web-app/docker-compose.yml down | |
| - name: Upload ZAP Report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: zap-scan-results | |
| path: | | |
| reports/zap-scan-report.sarif | |
| code-scan: | |
| name: Python Security Scan | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install bandit bandit-sarif-formatter | |
| - name: Run Bandit security scan | |
| run: | | |
| bandit -r python-app -f sarif -o bandit-results.sarif | |
| - name: Upload SARIF results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() # Upload results whether the scan passed or failed | |
| with: | |
| sarif_file: bandit-results.sarif | |
| category: Bandit | |
| - name: Upload Reports | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: infra-scan-results | |
| path: bandit-results.sarif |