terraform-provider-bitwarden-secrets/.github/workflows/scan.yml at main · bitwarden/terraform-provider-bitwarden-secrets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: Scan

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
  pull_request:
    types: [opened, synchronize, reopened]
    branches-ignore:
      - main
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches:
      - main

permissions: {}

jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
    permissions:
      contents: read

  sast:
    name: Checkmarx
    uses: bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
    needs: check-run
    secrets:
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    permissions:
      contents: read
      pull-requests: write
      security-events: write
      id-token: write

  quality:
    name: Sonar
    uses: bitwarden/gh-actions/.github/workflows/_sonar.yml@main
    needs: check-run
    secrets:
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    permissions:
      contents: read
      pull-requests: write
      id-token: write