OLH-3903: add Checkov check #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkov | |
| on: | |
| pull_request: | |
| merge_group: | |
| jobs: | |
| checkov: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Checkov GitHub Action | |
| uses: bridgecrewio/checkov-action@eec884fd62682f5f2b33e303e160d5e2fe8d89ec # v12.3052.0 | |
| with: | |
| directory: . | |
| output_format: cli | |
| output_file_path: console | |
| # skip_path skips solutions/app-infra/template.yaml due to a checkov bug where Fn::If | |
| # inside SAM Globals causes a ValueError crash (invalid literal for int() with base 10: 'Fn::If'). | |
| # cfn-lint still runs against this template via the cfnlint CI step. | |
| # See: https://github.com/bridgecrewio/checkov/issues/6804 | |
| skip_path: solutions/app-infra/template.yaml | |
| # CKV_GHA_7 flags workflow_dispatch inputs but these workflows use gitRef solely | |
| # to select the deployment revision, not to affect build output. | |
| # CKV2_GHA_1 flags missing top-level permissions but all jobs in affected workflows | |
| # already define their own explicit permissions, making a top-level block redundant. | |
| # CKV_OPENAPI_21 flags omitting maxItems leaves arrays unbounded, created OLH-4092 | |
| # CKV_OPENAPI_4 and CKV_OPENAPI_5 flag empty security but public endpoints | |
| # (token, authorize, .well-known) intentionally have no authentication | |
| # CKV_AWS_18 flags missing S3 access logging and CKV_AWS_111 flags IAM policies | |
| # without write access constraints, created OLH-4093 to implement | |
| # CKV_AWS_124 Intentionally ommitted as SNS topics do not exist. | |
| # CKV_DOCKER_4 flags Dockerfiles using ADD instead of RUN curl and CKV_DOCKER_2 | |
| # flags missing HEALTHCHECK instructions, created OLH-4094 to implement. | |
| # CKV_DOCKER_3: "need a non-user root user" is intentionally omitted as the integration tests container needs root permissions to run AWS CLI commands and install dependencies. | |
| skip_check: CKV_GHA_7,CKV2_GHA_1,CKV_OPENAPI_21,CKV_OPENAPI_4,CKV_OPENAPI_5,CKV_AWS_18,CKV_AWS_111,CKV_AWS_124,CKV_DOCKER_2,CKV_DOCKER_3,CKV_DOCKER_4 |