refs #30
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Checkov PR Scan | |
| on: | |
| pull_request: | |
| paths: | |
| - '**.tf' | |
| workflow_call: | |
| jobs: | |
| checkov_scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.head_ref }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v2 | |
| with: | |
| python-version: 3.x | |
| - name: Install Checkov | |
| run: | | |
| pip install checkov | |
| - name: Get changed Terraform files | |
| id: get_changed_files | |
| run: | | |
| echo "::set-output name=files::$(git diff --name-only --diff-filter=d origin/${{ github.base_ref }}..${{ github.head_ref }} -- '*.tf' | tr '\n' ' ')" | |
| - name: Run Checkov | |
| id: checkov | |
| run: | | |
| IFS=$'\n' read -ra FILES <<< "$(echo ${{ steps.get_changed_files.outputs.files }} | tr ' ' '\n')" | |
| PASSED=true | |
| RESULTS=() | |
| for file in "${FILES[@]}"; do | |
| if [ -n "$file" ]; then | |
| OUTPUT=$(checkov -f "$file" --output json || true) | |
| RESULTS+=("$OUTPUT") | |
| if [[ "$(echo "$OUTPUT" | jq '.results.failed_checks | length')" -gt 0 ]]; then | |
| PASSED=false | |
| fi | |
| fi | |
| done | |
| echo "["$(IFS=,; echo "${RESULTS[*]}")"]" > $GITHUB_WORKSPACE/checkov_results.json | |
| echo "CHECKOV_PASSED=$PASSED" | tee -a $GITHUB_ENV | |
| - name: Create comments with Checkov results | |
| uses: actions/github-script@v5 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const fs = require('fs'); | |
| const rawChecks = JSON.parse(fs.readFileSync(`${process.env.GITHUB_WORKSPACE}/checkov_results.json`, 'utf8')); | |
| const checks = rawChecks.reduce((acc, check) => { | |
| if ('results' in check && 'failed_checks' in check.results) { | |
| return acc.concat(check.results.failed_checks); | |
| } | |
| return acc; | |
| }, []); | |
| const files = [...new Set(checks.map((check) => check.file_path))]; | |
| if (files.length == 0) { | |
| const output = `🌟 No Terraform files were modified in this PR or all modified Terraform files passed the Checkov checks. Good job! 🌟`; | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: output | |
| }); | |
| } else { | |
| let output = `#### Checkov Scan Results 📖:\n\n` + | |
| `| File | Check ID | Description | Resource | Checkov Result |\n` + | |
| `| ---- | -------- | ----------- | -------- | -------------- |\n`; | |
| for (const file of files) { | |
| const fileChecks = checks.filter((check) => check.file_path === file); | |
| output += fileChecks | |
| .map((check) => { | |
| return `| ${file} | ${check.check_id} | ${check.check_name} | ${check.resource} | ${check.check_result.result} |\n`; | |
| }) | |
| .join(""); | |
| } | |
| output += `\n\nPlease review the above report. ⚠️`; | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: output | |
| }); | |
| } | |