OLH-3903: add Checkov check #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkov | |
| on: | |
| pull_request: | |
| merge_group: | |
| jobs: | |
| checkov: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Checkov GitHub Action | |
| uses: bridgecrewio/checkov-action@eec884fd62682f5f2b33e303e160d5e2fe8d89ec # v12.3052.0 | |
| with: | |
| directory: . | |
| output_format: cli | |
| output_file_path: console | |
| # skip_path skips solutions/app-infra/template.yaml due to a checkov bug where Fn::If | |
| # inside SAM Globals causes a ValueError crash (invalid literal for int() with base 10: 'Fn::If'). | |
| # cfn-lint still runs against this template via the cfnlint CI step. | |
| # See: https://github.com/bridgecrewio/checkov/issues/6804 | |
| skip_path: solutions/app-infra/template.yaml | |
| # CKV_GHA_7 flags workflow_dispatch inputs but these workflows use gitRef solely | |
| # to select the deployment revision, not to affect build output. | |
| # CKV2_GHA_1 flags missing top-level permissions but all jobs in affected workflows | |
| # already define their own explicit permissions, making a top-level block redundant. | |
| # CKV_OPENAPI_21 flags omitting maxItems leaves arrays unbounded, created OLH-4092 | |
| skip_check: CKV_GHA_7,CKV2_GHA_1,CKV_OPENAPI_21 | |