diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000..3810d6d --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,74 @@ +--- +name: "Security Scan: Snyk IaC" + +on: + push: + +jobs: + snyk: + runs-on: ubuntu-latest + + strategy: + # see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast + fail-fast: false + matrix: + # The Snyk IaC GitHub Action currently only supports single files (via the `file` attribute in `with`). + # To work around this, a GitHub Actions Strategy is used to provide the files that should be tested. + terraform_files: + - "./examples/basic/main.tf" + - "./examples/basic/providers.tf" + - "./examples/basic/terraform.tf" + - "./examples/branch_protection/main.tf" + - "./examples/branch_protection/providers.tf" + - "./examples/branch_protection/terraform.tf" + - "./examples/complex/main.tf" + - "./examples/complex/providers.tf" + - "./examples/complex/terraform.tf" + - "./examples/deploy_keys/main.tf" + - "./examples/deploy_keys/providers.tf" + - "./examples/deploy_keys/terraform.tf" + - "./examples/files/main.tf" + - "./examples/files/providers.tf" + - "./examples/files/terraform.tf" + - "./examples/issue_labels/main.tf" + - "./examples/issue_labels/providers.tf" + - "./examples/issue_labels/terraform.tf" + - "./examples/pages/main.tf" + - "./examples/pages/providers.tf" + - "./examples/pages/terraform.tf" + - "./examples/project/main.tf" + - "./examples/project/providers.tf" + - "./examples/project/terraform.tf" + - "./examples/project_columns/main.tf" + - "./examples/project_columns/providers.tf" + - "./examples/project_columns/terraform.tf" + - "./examples/template/main.tf" + - "./examples/template/providers.tf" + - "./examples/template/terraform.tf" + - "./examples/webhook/main.tf" + - "./examples/webhook/providers.tf" + - "./examples/webhook/terraform.tf" + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + # see https://github.com/snyk/actions/tree/master/iac + - name: Lint Code with Snyk + uses: snyk/actions/iac@master + env: + # see https://github.com/snyk/actions#getting-your-snyk-token + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + file: ${{ matrix.terraform_files }} + # see https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/iac-ignores-using-the-.snyk-policy-file#policy-flags-and-policy-file-notes + args: --policy-path=.snyk --org=${{ secrets.SNYK_ORG }} + sarif: true + +# # see https://github.com/github/codeql-action/tree/main/upload-sarif +# - name: Upload Snyk IaC results to GitHub Code Scanning +# uses: github/codeql-action/upload-sarif@v2 +# with: +# sarif_file: snyk.sarif diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml index f1c03ad..ea10d20 100644 --- a/.github/workflows/superlinter.yml +++ b/.github/workflows/superlinter.yml @@ -10,18 +10,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Lint Code with Super-Linter - uses: github/super-linter@v4 + uses: super-linter/super-linter/slim@v6 env: - VALIDATE_ALL_CODEBASE: true DEFAULT_BRANCH: "main" DISABLE_ERRORS: false + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TERRAFORM_TFLINT_CONFIG_FILE: ".tflint.hcl" + VALIDATE_ALL_CODEBASE: true VALIDATE_BASH: true VALIDATE_JSON: true VALIDATE_MD: true diff --git a/.github/workflows/terraform-docs.yml b/.github/workflows/terraform-docs.yml index bab926d..c09acf5 100644 --- a/.github/workflows/terraform-docs.yml +++ b/.github/workflows/terraform-docs.yml @@ -26,12 +26,12 @@ jobs: - "./examples/webhook" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} - name: Render documentation for Module and push changes back to branch - uses: terraform-docs/gh-actions@v1.0.0 + uses: terraform-docs/gh-actions@v1.2.0 with: config-file: ".terraform-docs.yml" output-file: "README.md" @@ -40,7 +40,7 @@ jobs: working-dir: "./" - name: Render documentation for Examples and push changes back to branch - uses: terraform-docs/gh-actions@v1.0.0 + uses: terraform-docs/gh-actions@v1.2.0 with: config-file: "../../.terraform-docs.yml" output-file: "README.md" diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index a9577bf..eba4b9d 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -28,7 +28,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 diff --git a/.github/workflows/tflint.yml b/.github/workflows/tflint.yml index 42dfb3d..43e223d 100644 --- a/.github/workflows/tflint.yml +++ b/.github/workflows/tflint.yml @@ -27,12 +27,13 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 1 + # see https://github.com/terraform-linters/setup-tflint/releases - name: Setup TFLint - uses: terraform-linters/setup-tflint@v2.0.0 + uses: terraform-linters/setup-tflint@v4.0.0 with: tflint_version: latest github_token: ${{ secrets.GITHUB_TOKEN }} @@ -40,7 +41,7 @@ jobs: working-dir: "${{ matrix.examples }}" - name: Initialize TFLint - run: tflint --init "${{ matrix.examples }}" + run: tflint --init --chdir "./${{ matrix.examples }}" - name: Run TFLint - run: tflint --format=compact "${{ matrix.examples }}" + run: tflint --format=compact --chdir "./${{ matrix.examples }}"