-
Notifications
You must be signed in to change notification settings - Fork 2
OLH-3903: add Checkov check #770
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 19 commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
24b28c5
OLH-3903: adding checkov checks
martin-gwar 9a4435c
OLH-3903: skipped cloudformation template due to Fn::If
martin-gwar e2d67f2
OLH-3903: added checkov checks
martin-gwar c62303e
OLH-3903: added checkov checks
martin-gwar bc8870f
OLH-3903: fixed checks CKV_OPENAPI_4/5 and CKV_DOCKER_2/3/4
martin-gwar 653f35c
OLH-3903: CKV_OPENAPI_4/5 skip
martin-gwar bf81a39
OLH-3903: aws skip checks
martin-gwar 34f9384
OLH-3903: CKV_AWS_124 Intentionallly ommitted sending event notificat…
martin-gwar 03d123e
OLH-3903: checkov fix
martin-gwar 3645271
OLH-3903: adding permissions
martin-gwar 09eab6d
OLH-3903: updated dockerfile changes
martin-gwar 3d6de42
OLH-3903: updated dockerfile changes
martin-gwar 7a9efc4
OLH-3903: reverted Dockerfile healthcheck
martin-gwar d7b2e20
OLH-3903: added comments
martin-gwar 0c40329
OLH-3903: updated Dockerfile
martin-gwar 6fa59af
OLH-3903: updated Dockerfile
martin-gwar 4d41b96
OLH-3903: Reset submodule to match main branch
martin-gwar 128c753
removed changes not required
martin-gwar 6564415
removed security no default
martin-gwar 02f1552
moved checkov checks to check.yaml
martin-gwar ced408f
OLH-3903: formatting
martin-gwar File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| name: Checkov | ||
|
|
||
| on: | ||
| pull_request: | ||
| merge_group: | ||
|
|
||
| jobs: | ||
| checkov: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Checkov GitHub Action | ||
|
martin-gwar marked this conversation as resolved.
Outdated
|
||
| uses: bridgecrewio/checkov-action@eec884fd62682f5f2b33e303e160d5e2fe8d89ec # v12.3052.0 | ||
| with: | ||
| directory: . | ||
| output_format: cli | ||
| output_file_path: console | ||
| # skip_path skips solutions/app-infra/template.yaml due to a checkov bug where Fn::If | ||
| # inside SAM Globals causes a ValueError crash (invalid literal for int() with base 10: 'Fn::If'). | ||
| # cfn-lint still runs against this template via the cfnlint CI step. | ||
| # See: https://github.com/bridgecrewio/checkov/issues/6804 | ||
| skip_path: solutions/app-infra/template.yaml | ||
| # CKV_GHA_7 flags workflow_dispatch inputs but these workflows use gitRef solely | ||
| # to select the deployment revision, not to affect build output. | ||
| # CKV2_GHA_1 flags missing top-level permissions but all jobs in affected workflows | ||
| # already define their own explicit permissions, making a top-level block redundant. | ||
| # CKV_OPENAPI_21 flags omitting maxItems leaves arrays unbounded, created OLH-4092 | ||
| # CKV_OPENAPI_4 and CKV_OPENAPI_5 flag empty security but public endpoints | ||
| # (token, authorize, .well-known) intentionally have no authentication | ||
| # CKV_AWS_18 flags missing S3 access logging and CKV_AWS_111 flags IAM policies | ||
| # without write access constraints, created OLH-4093 to implement | ||
| # CKV_AWS_124 Intentionally ommitted as SNS topics do not exist. | ||
| # CKV_DOCKER_4 flags Dockerfiles using ADD instead of RUN curl and CKV_DOCKER_2 | ||
| # flags missing HEALTHCHECK instructions, created OLH-4094 to implement. | ||
| # CKV_DOCKER_3: "need a non-user root user" is intentionally omitted as the integration tests container needs root permissions to run AWS CLI commands and install dependencies. | ||
| skip_check: CKV_GHA_7,CKV2_GHA_1,CKV_OPENAPI_21,CKV_OPENAPI_4,CKV_OPENAPI_5,CKV_AWS_18,CKV_AWS_111,CKV_AWS_124,CKV_DOCKER_2,CKV_DOCKER_3,CKV_DOCKER_4 | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
|
||
|
github-advanced-security[bot] marked this conversation as resolved.
Fixed
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.