-
Notifications
You must be signed in to change notification settings - Fork 0
84 lines (66 loc) · 2.35 KB
/
ci-pipeline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: CI Pipeline
permissions:
contents: read
pull-requests: write
checks: write
actions: read
on:
push:
branches:
- main
pull_request:
jobs:
build-verification:
name: Build Verification
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: Terraform Init
run: terraform init -backend=false
working-directory: infrastructure
- name: Terraform Validate
run: terraform validate
working-directory: infrastructure
static-code-analysis:
name: Static Code Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0
- name: Check Terraform Format
run: terraform fmt -check
working-directory: infrastructure
- name: Run Terraform Lint
uses: terraform-linters/setup-tflint@v1
with:
tflint_version: latest
- run: tflint
- name: Install Checkov
run: sudo apt-get update && sudo apt-get install -y python3-pip && pip3 install checkov
- name: Run Checkov Scan
run: checkov --directory infrastructure --skip-path example_resource --skip-path example.tf
- name: Install GitLeaks
run: |
curl -sSL https://github.com/zricethezav/gitleaks/releases/download/v8.2.4/gitleaks_8.2.4_linux_x64.tar.gz | tar -xz
sudo mv gitleaks /usr/local/bin/
- name: Run GitLeaks Scan
run: gitleaks detect --source . --config-path ../.gitleaks.toml
- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
- name: Run Trivy Scan
run: trivy filesystem --security-checks vuln,config --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed .