|
12 | 12 | permissions: |
13 | 13 | contents: read |
14 | 14 | pull-requests: write |
| 15 | + security-events: write |
15 | 16 |
|
16 | 17 | jobs: |
17 | 18 | terraform-ci: |
@@ -51,22 +52,39 @@ jobs: |
51 | 52 | with: |
52 | 53 | tflint_version: latest |
53 | 54 |
|
54 | | - - name: Run TFLint |
55 | | - run: tflint --recursive |
56 | | - working-directory: infra |
| 55 | + - name: Run TFLint (with annotations) |
| 56 | + uses: terraform-linters/tflint-pr-commenter-action@v1 |
| 57 | + with: |
| 58 | + github_token: ${{ secrets.GITHUB_TOKEN }} |
| 59 | + tflint_command: "tflint --recursive" |
| 60 | + directory: "infra" |
57 | 61 |
|
58 | | - - name: Run tfsec |
| 62 | + - name: Run tfsec (SARIF) |
59 | 63 | uses: aquasecurity/tfsec-action@v1.0.3 |
60 | 64 | with: |
61 | 65 | working_directory: infra |
62 | 66 | github_token: ${{ secrets.GITHUB_TOKEN }} |
| 67 | + format: sarif |
| 68 | + output_file: tfsec.sarif |
| 69 | + |
| 70 | + - name: Upload tfsec SARIF |
| 71 | + uses: github/codeql-action/upload-sarif@v3 |
| 72 | + with: |
| 73 | + sarif_file: tfsec.sarif |
63 | 74 |
|
64 | | - - name: Run Checkov |
| 75 | + - name: Run Checkov (SARIF) |
65 | 76 | uses: bridgecrewio/checkov-action@v12 |
66 | 77 | with: |
67 | 78 | directory: infra |
68 | 79 | config_file: .checkov.yml |
69 | 80 | quiet: true |
| 81 | + output_format: sarif |
| 82 | + output_file_path: checkov.sarif |
| 83 | + |
| 84 | + - name: Upload Checkov SARIF |
| 85 | + uses: github/codeql-action/upload-sarif@v3 |
| 86 | + with: |
| 87 | + sarif_file: checkov.sarif |
70 | 88 |
|
71 | 89 | - name: Publish Terraform CI summary |
72 | 90 | if: ${{ success() }} |
@@ -108,28 +126,3 @@ jobs: |
108 | 126 | body |
109 | 127 | }); |
110 | 128 | } |
111 | | -
|
112 | | - - name: Comment on PR with Terraform CI result |
113 | | - if: always() |
114 | | - uses: actions/github-script@v7 |
115 | | - with: |
116 | | - github-token: ${{ secrets.GITHUB_TOKEN }} |
117 | | - script: | |
118 | | - const conclusion = '${{ job.status }}'; |
119 | | - const symbols = { success: '✅', failure: '❌', cancelled: '⚪️' }; |
120 | | - const symbol = symbols[conclusion] || 'ℹ️'; |
121 | | - const body = |
122 | | - `${symbol} Terraform CI finished with status: **${conclusion}**\n\n` + |
123 | | - `Terraform versions tested: 1.6.6, 1.8.5, 1.9.5.\n` + |
124 | | - `See detailed results in the "Checks" tab.`; |
125 | | - const pr = context.payload.pull_request; |
126 | | - if (!pr) { |
127 | | - core.info('No pull_request context, skipping comment.'); |
128 | | - } else { |
129 | | - await github.rest.issues.createComment({ |
130 | | - owner: context.repo.owner, |
131 | | - repo: context.repo.repo, |
132 | | - issue_number: pr.number, |
133 | | - body |
134 | | - }); |
135 | | - } |
0 commit comments