Disable terraform_required_version rule for examples #77

Workflow file for this run

.github/workflows/security.yml at 37862d7

	name: Security

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]
	schedule:
	# Run weekly on Monday at 00:00 UTC
	- cron: '0 0 * * 1'

	permissions:
	contents: read
	security-events: write

	jobs:
	# Verify commit signatures on PRs
	verify-signatures:
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
	with:
	fetch-depth: 0

	- name: Verify commit signatures
	run: \|
	echo "Checking commit signatures for PR commits..."
	# Get the merge base and check all commits since then
	BASE_SHA="${{ github.event.pull_request.base.sha }}"
	HEAD_SHA="${{ github.event.pull_request.head.sha }}"

	UNSIGNED_COMMITS=""
	while IFS= read -r commit; do
	if ! git verify-commit "$commit" 2>/dev/null; then
	UNSIGNED_COMMITS="$UNSIGNED_COMMITS $commit"
	fi
	done < <(git rev-list "$BASE_SHA".."$HEAD_SHA")

	if [ -n "$UNSIGNED_COMMITS" ]; then
	echo "::warning::The following commits are not signed:$UNSIGNED_COMMITS"
	echo "Consider signing your commits with GPG. See: https://docs.github.com/en/authentication/managing-commit-signature-verification"
	else
	echo "All commits are signed!"
	fi

	# Run gosec security scanner
	gosec:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

	- name: Run Gosec Security Scanner
	uses: securego/gosec@d4617f51baf75f4f809066386a4f9d27b3ac3e46 # v2.21.4
	with:
	args: '-no-fail -fmt sarif -out results.sarif ./...'

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
	with:
	sarif_file: results.sarif
	if: always()

	# Dependency review for PRs
	dependency-review:
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

	- name: Dependency Review
	uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2

	# Trivy vulnerability scanning
	trivy:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

	- name: Run Trivy vulnerability scanner (filesystem)
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-fs-results.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM'

	- name: Upload Trivy filesystem scan results
	uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
	with:
	sarif_file: 'trivy-fs-results.sarif'
	category: 'trivy-filesystem'
	if: always()

	- name: Run Trivy license scanner
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	scanners: 'license'
	format: 'table'
	severity: 'CRITICAL,HIGH'
	continue-on-error: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable terraform_required_version rule for examples #77

Workflow file

Disable terraform_required_version rule for examples #77

Uh oh!

Workflow file for this run