Security and Compliance Checks #38

Workflow file for this run

.github/workflows/security-checks.yml at 558c5c2

	name: "Security and Compliance Checks"

	on:
	pull_request:
	paths:
	- "*/.tf"
	- "*/.tfvars"
	- "scripts/**"
	push:
	branches: [main]
	schedule:
	# Run weekly compliance checks
	- cron: '0 2 * * 1'

	jobs:
	terraform-security:
	name: "Terraform Security Scan"
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	pull-requests: write

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Run tfsec
	uses: aquasecurity/tfsec-action@v1.0.3
	with:
	soft_fail: true
	format: sarif
	additional_args: --minimum-severity MEDIUM

	- name: Upload tfsec results to GitHub Security
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: tfsec.sarif

	- name: Run Checkov
	uses: bridgecrewio/checkov-action@master
	with:
	directory: .
	framework: terraform
	soft_fail: true
	output_format: cli,sarif
	output_file_path: console,checkov.sarif

	- name: Upload Checkov results
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: checkov.sarif

	compliance-assessment:
	name: "Compliance Assessment"
	if: github.event_name == 'schedule' \|\| github.ref == 'refs/heads/main'
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	issues: write

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Authenticate to Google Cloud
	uses: google-github-actions/auth@v2
	with:
	workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
	service_account: ${{ secrets.TERRAFORM_ORGANIZATION_SA }}

	- name: Run Bulk Compliance Assessment
	run: \|
	echo "🔍 Running bulk compliance assessment..."

	# Create assessment report
	mkdir -p reports
	echo "# Compliance Assessment Report - $(date)" > reports/compliance-report.md
	echo "" >> reports/compliance-report.md

	# Get projects in legacy folder
	LEGACY_PROJECTS=$(gcloud projects list --filter="parent.id=933345237861" --format="value(projectId)" --limit=10)

	echo "## Legacy Projects Assessment" >> reports/compliance-report.md
	echo "\| Project \| Score \| Status \| Issues \|" >> reports/compliance-report.md
	echo "\|---------\|-------\|--------\|--------\|" >> reports/compliance-report.md

	for project in $LEGACY_PROJECTS; do
	echo "Assessing $project..."
	if ./scripts/assess-project-compliance.sh $project > /tmp/assessment.txt 2>&1; then
	SCORE=$(grep "COMPLIANCE_SCORE=" /tmp/assessment.txt \| cut -d'=' -f2)
	PERCENTAGE=$(grep "COMPLIANCE_PERCENTAGE=" /tmp/assessment.txt \| cut -d'=' -f2)
	ISSUES=$(grep "TOTAL_ISSUES=" /tmp/assessment.txt \| cut -d'=' -f2)

	if [ "$PERCENTAGE" -ge 80 ]; then
	STATUS="🟢 Ready for migration"
	elif [ "$PERCENTAGE" -ge 60 ]; then
	STATUS="🟡 Needs minor fixes"
	else
	STATUS="🔴 Needs major work"
	fi

	echo "\| $project \| $SCORE/10 ($PERCENTAGE%) \| $STATUS \| $ISSUES \|" >> reports/compliance-report.md
	else
	echo "\| $project \| ERROR \| ❌ Assessment failed \| N/A \|" >> reports/compliance-report.md
	fi
	done

	echo "" >> reports/compliance-report.md
	echo "## Recommendations" >> reports/compliance-report.md
	echo "- Move 🟢 projects to compliant-systems folder" >> reports/compliance-report.md
	echo "- Move 🟡 projects to migration-in-progress folder" >> reports/compliance-report.md
	echo "- Create remediation plans for 🔴 projects" >> reports/compliance-report.md

	- name: Create/Update Compliance Issue
	uses: actions/github-script@v7
	with:
	script: \|
	const fs = require('fs');
	const report = fs.readFileSync('reports/compliance-report.md', 'utf8');

	// Check if compliance issue exists
	const issues = await github.rest.issues.listForRepo({
	owner: context.repo.owner,
	repo: context.repo.repo,
	labels: ['compliance-report'],
	state: 'open'
	});

	const issueBody = `${report}

	---
	Auto-generated by compliance assessment workflow
	Last updated: ${new Date().toISOString()}`;

	if (issues.data.length > 0) {
	// Update existing issue
	await github.rest.issues.update({
	owner: context.repo.owner,
	repo: context.repo.repo,
	issue_number: issues.data[0].number,
	body: issueBody
	});
	} else {
	// Create new issue
	await github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title: '📊 Weekly Compliance Assessment Report',
	body: issueBody,
	labels: ['compliance-report', 'automation']
	});
	}

	secret-scanning:
	name: "Secret Scanning"
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Run GitLeaks
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Terraform Vars Check
	run: \|
	echo "🔍 Checking for sensitive data in Terraform files..."

	# Check for common secrets patterns
	if grep -r -E "(password\|secret\|token\|key)" . --include=".tf" --include=".tfvars"; then
	echo "⚠️ Found potential sensitive data in Terraform files"
	echo "Make sure sensitive values are in terraform.tfvars (gitignored) or use variables"
	else
	echo "✅ No obvious sensitive data found"
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security and Compliance Checks #38

Workflow file

Security and Compliance Checks #38

Uh oh!

Workflow file for this run