chore: synced file(s) with honestbank/.github

.checkov.yaml

@@ -4,9 +4,10 @@ directory:
 download-external-modules: true
 evaluate-variables: true
 external-modules-download-path: .external_modules
-#framework:
-#- all
+framework:
+- all
 quiet: true
 skip-path:
   - .external_modules
   - modules
+  - catalog-info.yml

.github/CODEOWNERS

@@ -8,4 +8,4 @@
 # the repo. Unless a later match takes precedence,
 # @global-owner1 and @global-owner2 will be requested for
 # review when someone opens a pull request.
-*       @honestbank/devops-engineers @honestbank/backend-engineers
+*       @honestbank/devops-engineers

.github/pull_request_template.md

@@ -6,7 +6,7 @@
 
 -->
 
-## Pull Request Submission Checklist
+### Pull Request Submission Checklist
 
 Please confirm that you have done the following before requesting reviews:
 
@@ -17,3 +17,9 @@ Please confirm that you have done the following before requesting reviews:
 ### Description
 
 * <!-- WRITE A SHORT DESCRIPTION OF CHANGES -->
+
+### Experiment Link
+
+<!-- All code changes require an experiment - you can get started at https://www.notion.so/honestbank/How-to-create-a-feature-flag-ON-OFF-on-GrowthBook-0a11a156397d4eca89fb76dad0eb921c?pvs=4 -->
+
+GrowthBook Experiment Link: https://app.growthbook.io/features/

.github/workflows/checkov.yaml

@@ -1,21 +1,27 @@
-name: "Checkov GitHub Action"
-on:
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-checkov"
+permissions: read-all
+
+on:  # yamllint disable-line rule:truthy
   pull_request:
-    branches: [test, dev, qa, prod, main]
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  push:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
 
 jobs:
-  checkov:
-    name: checkov
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          submodules: "recursive"
-          token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }}
-      - name: Run Checkov
-        id: checkov
-        uses: bridgecrewio/checkov-action@master
-        with:
-          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
-          quiet: true # optional: display only failed checks
+  repository-checkov:
+    name: repository-checkov
+    uses: honestbank/workflows/.github/workflows/shared-checkov.yaml@main
+    secrets: inherit

.github/workflows/shiftleft-terraform.yaml

@@ -1,26 +1,33 @@
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
 ---
-# This workflow integrates ShiftLeft NG SAST with GitHub
-# Visit https://docs.shiftleft.io for help
-name: shiftleft-terraform
+name: "repository-shiftleft-terraform"
+permissions: read-all
 
-on:
+on:  # yamllint disable-line rule:truthy
   pull_request:
-  workflow_dispatch:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  push:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # schedule a job to run every day at 17:30 UTC
+    - cron: '30 17 * * *'
 
 jobs:
-  shiftleft-terraform:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - run: echo "REPO_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
-    - name: Download ShiftLeft CLI
-      run: |
-        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
-    - name: Extract branch name
-      shell: bash
-      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
-      id: extract_branch
-    - name: NextGen Static Analysis
-      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app ${{ env.REPO_NAME}} --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --terraform $(pwd)
-      env:
-        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+  repository-shiftleft-terraform:
+    name: repository-shiftleft-terraform
+    uses: honestbank/workflows/.github/workflows/shared-terraform-shiftleft.yaml@main
+    with:
+      repo_name: ${{ github.event.repository.name }}
+    secrets: inherit

.pre-commit-config.yaml

@@ -1,25 +1,33 @@
+# DO NOT CHANGE. This file is being managed from a central repository
+# To know more simply visit https://github.com/honestbank/.github/blob/main/docs/about.md
+
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
+
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.4.0 # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-yaml
       - id: check-added-large-files
+      - id: detect-aws-credentials
+        args: ["--allow-missing-credentials"]
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
       - id: terraform_validate
-        exclude: test/
       - id: terraform_tfsec
-        exclude: test/
+        exclude: "test/"
       - id: terraform_checkov
-        exclude: test/
-  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.15.0
-    hooks:
-      - id: gitleaks
+        exclude: "test/"
+  -   repo: https://github.com/gitguardian/ggshield
+      rev: v1.14.2
+      hooks:
+        - id: ggshield
+          language: python
+          stages: [commit]
+          args: [ 'secret', 'scan', 'pre-commit' ]