Add Checkov action to CI/CD pipeline (#1087)

* add checkov workflow * suppress false positive * supress check * suppress inputs * supress manual inputs * set permissions to read all * set read all * add checkov to pipeline * fixed security on run update opa * start workflow * finish workflow * try different analyzer * fix lint * add wrong verb in PS for test * lint ps w windows * set path * no output * show results * fix shell * just commandline * set warning * changed default shell * use profile * fix singular nouns * full on pipeline * remove security push * Remove comments and unused ML config
cisagov · May 20, 2024 · 034d883 · 034d883
1 parent 943c003
commit 034d883
Show file tree

Hide file tree

Showing 17 changed files with 18,780 additions and 22,006 deletions.
diff --git a/.github/workflows/build_sign_release.yaml b/.github/workflows/build_sign_release.yaml
@@ -5,6 +5,7 @@ name: Build and Draft Release
 on:
   workflow_dispatch:
     inputs:
+      # checkov:skip=CKV_GHA_7:Manual inputs are desired.
       releaseName:
         description: "Release Name"
         required: true
@@ -19,6 +20,8 @@ on:
         type: boolean
         default: true
 
+permissions: read-all
+
 jobs:
   build-and-draft:
     name: Build and Draft Release

diff --git a/.github/workflows/check_security.yaml b/.github/workflows/check_security.yaml
@@ -0,0 +1,27 @@
+# Purpose: Run a static analysis code checker against the repo.
+
+name: Check Security
+
+# This is a reusable workflow called by the pipeline.
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  check-security:
+    name: MegaLint Checkov
+    runs-on: ubuntu-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Setup Config File
+        run: cp Testing/Linting/MegaLinter/.mega-linter-security.yml .mega-linter.yml
+      - name: Check Security
+        uses: oxsecurity/megalinter/flavors/security@latest
diff --git a/.github/workflows/lint_powershell.yaml b/.github/workflows/lint_powershell.yaml
@@ -7,21 +7,23 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   powershell-lint-check:
     name: MegaLint PowerShell Check
-    runs-on: ubuntu-latest
+    # runs-on: ubuntu-latest
+    runs-on: windows-latest
     # This condition prevents duplicate runs.
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     defaults:
       run:
-        shell: bash
+        shell: pwsh
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
-      - name: Setup Config File
-        run: cp Testing/Linting/MegaLinter/.mega-linter-powershell.yml .mega-linter.yml
       - name: Setup PSScriptAnalyzer settings
         run: cp Testing/Linting/MegaLinter/.powershell-psscriptanalyzer.psd1 .powershell-psscriptanalyzer.psd1
-      - name: Lint PowerShell
-        uses: oxsecurity/megalinter/flavors/dotnet@latest
+      - name: Run PSScriptAnalyzer on PowerShell Scripts
+        run: |
+          Invoke-ScriptAnalyzer -Path ./ -Recurse -Severity Warning -EnableExit -Profile .powershell-psscriptanalyzer.psd1
diff --git a/.github/workflows/lint_yaml.yaml b/.github/workflows/lint_yaml.yaml
@@ -7,6 +7,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   yaml-lint-check:
     name: MegaLint YAML Check

diff --git a/.github/workflows/publish_private_package.yaml b/.github/workflows/publish_private_package.yaml
@@ -14,6 +14,8 @@ on:
   #     - ".github/workflows/publish_private_package.yaml"
   #     - "utils/DeployUtils.ps1"
 
+permissions: read-all
+
 env:
   GalleryName: PrivateScubaGearGallery
 

diff --git a/.github/workflows/publish_public_package.yaml b/.github/workflows/publish_public_package.yaml
@@ -5,6 +5,7 @@ name: Publish Public Package
 on:
   workflow_dispatch:
     inputs:
+      # checkov:skip=CKV_GHA_7:Manual inputs are desired.
       OverrideModuleVersion:
         description: "Override the version of the release. Restricted to SemVer 1.0 - 3 segments"
         required: false
@@ -24,6 +25,8 @@ on:
   #     - ".github/workflows/publish_public_package.yaml"
   #     - "utils/DeployUtils.ps1"
 
+permissions: read-all
+
 jobs:
   publish:
     name: Publish to PSGallery

diff --git a/.github/workflows/run_module_version_bump.yml b/.github/workflows/run_module_version_bump.yml
@@ -3,11 +3,14 @@ name: Module Version Bump
 on:
   workflow_dispatch:
     inputs:
+      # checkov:skip=CKV_GHA_7:Manual inputs are desired.
       newVersionNumber:
         description: "New Version number (e.g., 1.2.4)"
         required: true
         type: string
 
+permissions: read-all
+
 jobs:
   module-version-bump:
     runs-on: windows-latest

diff --git a/.github/workflows/run_pipeline.yaml b/.github/workflows/run_pipeline.yaml
@@ -1,5 +1,5 @@
 # Purpose:  Run the CI/CD pipeline that tests, packages, and publishes ScubaGear.
-# Note:  This pipeline is a work in progress.  At the moment, it is only doing linting, syntax checking, and unit testing.
+# Note:  This pipeline is a work in progress.  At the moment, it is only doing linting, syntax checking, security scanning, and unit testing.
 
 name: Run the CI/CD Pipeline
 
@@ -8,22 +8,44 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
+  # Lint and Syntax Checks
   lint-yaml:
     name: Lint
     uses: ./.github/workflows/lint_yaml.yaml
   lint-powershell:
     name: Lint
     uses: ./.github/workflows/lint_powershell.yaml
+  syntax-markdown:
+    name: Syntax
+    uses: ./.github/workflows/syntax_check_markdown.yaml
+  # Security Checks
   scan-secret:
     name: Security
+    needs:
+      - lint-yaml
+      - lint-powershell
+      - syntax-markdown
     uses: ./.github/workflows/run_secret_scan.yaml
-  syntax:
-    name: Syntax
-    uses: ./.github/workflows/syntax_check_markdown.yaml
+  check-security:
+    name: Security
+    needs:
+      - lint-yaml
+      - lint-powershell
+      - syntax-markdown
+    uses: ./.github/workflows/check_security.yaml
+  # Unit Tests
   unit-powershell:
     name: Unit
+    needs:
+      - scan-secret
+      - check-security
     uses: ./.github/workflows/unit_test_powershell.yaml
   unit-opa:
     name: Unit
+    needs:
+      - scan-secret
+      - check-security
     uses: ./.github/workflows/unit_test_opa.yaml
diff --git a/.github/workflows/run_secret_scan.yaml b/.github/workflows/run_secret_scan.yaml
@@ -6,6 +6,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   secret-scan:
     name: MegaLint Gitleaks

diff --git a/.github/workflows/run_smoke_test.yaml b/.github/workflows/run_smoke_test.yaml
@@ -18,6 +18,8 @@ on:
       - "main"
       - "*smoke*"
 
+permissions: read-all
+
 jobs:
   smoke-tests:
     name: Smoke Tests

diff --git a/.github/workflows/run_update_opa.yaml b/.github/workflows/run_update_opa.yaml
@@ -6,6 +6,8 @@ on:
         - cron: "11 2 * * 1-5"
     workflow_dispatch:
 
+permissions: read-all
+
 jobs:
     update-opa-dependency:
         runs-on: windows-latest

diff --git a/.github/workflows/syntax_check_markdown.yaml b/.github/workflows/syntax_check_markdown.yaml
@@ -7,6 +7,8 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   markdown-check:
     name: Markdown Syntax Checks

diff --git a/.github/workflows/test_production_function.yaml b/.github/workflows/test_production_function.yaml
@@ -13,6 +13,8 @@ on:
     - cron: "15 4 * * 0-4"
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   # Build a matrix of aliases for testing.
   build-matrix:

diff --git a/.github/workflows/unit_test_opa.yaml b/.github/workflows/unit_test_opa.yaml
@@ -7,8 +7,11 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: read-all
+
 env:
   MODULE_ROOT: PowerShell/ScubaGear
+
 jobs:
   opa-tests:
     name: OPA Unit Tests