From 202beeca70245f4773d87c6595016921408e6ab8 Mon Sep 17 00:00:00 2001 From: Hassan Baker Date: Fri, 31 Oct 2025 12:34:31 +0000 Subject: [PATCH 1/2] update workflows to include trivy/fmt/tagging --- .github/workflows/fmt-check.yml | 26 ++++++++++++++++++++++++++ .github/workflows/scan-trivy.yml | 22 ++++++++++++++++++++++ .github/workflows/tag-bump.yml | 25 +++++++++++++++++++++++++ scripts/trivy/trivy.yml | 19 +++++++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 .github/workflows/fmt-check.yml create mode 100644 .github/workflows/scan-trivy.yml create mode 100644 .github/workflows/tag-bump.yml create mode 100644 scripts/trivy/trivy.yml diff --git a/.github/workflows/fmt-check.yml b/.github/workflows/fmt-check.yml new file mode 100644 index 0000000..ff32f34 --- /dev/null +++ b/.github/workflows/fmt-check.yml @@ -0,0 +1,26 @@ +--- +name: Terraform Validation + +on: + pull_request: + branches: + - main + +jobs: + terraform: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install Task + uses: arduino/setup-task@v2 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.8.2" + - name: Terraform fmt + run: task fmt:check + diff --git a/.github/workflows/scan-trivy.yml b/.github/workflows/scan-trivy.yml new file mode 100644 index 0000000..782e94d --- /dev/null +++ b/.github/workflows/scan-trivy.yml @@ -0,0 +1,22 @@ +name: Trivy Terraform Scan + +on: + pull_request: + branches: [main] + schedule: + - cron: '0 3 * * *' # Nightly at 03:00 UTC + workflow_dispatch: + +jobs: + trivy: + runs-on: ubuntu-latest + + permissions: + contents: read + issues: write + + steps: + - uses: actions/checkout@v4 + + - name: Trivy scan + uses: corelight/shared-actions/trivy-terraform-scan@main \ No newline at end of file diff --git a/.github/workflows/tag-bump.yml b/.github/workflows/tag-bump.yml new file mode 100644 index 0000000..41909df --- /dev/null +++ b/.github/workflows/tag-bump.yml @@ -0,0 +1,25 @@ +name: Bump version +on: + pull_request: + types: + - closed + branches: + - main + +jobs: + build: + if: github.event.pull_request.merged == true + runs-on: ubuntu-22.04 + permissions: + contents: write + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.merge_commit_sha }} + fetch-depth: '0' + + - name: Bump version and push tag + uses: anothrNick/github-tag-action@1.75.0 + env: + TAG_PREFIX: 'v' + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/scripts/trivy/trivy.yml b/scripts/trivy/trivy.yml new file mode 100644 index 0000000..d388138 --- /dev/null +++ b/scripts/trivy/trivy.yml @@ -0,0 +1,19 @@ +scan: + security-checks: + - secret + - config + +ignorefile: scripts/trivy/.trivyignore.yml + +severity: + - HIGH + - CRITICAL + +misconfiguration: + scanners: + - terraform + config: + terraform: + file_patterns: + - "**/*.tf" + ignore_unfixed: true From bc30f69255e01b88a95e4ecd955c40103a77938d Mon Sep 17 00:00:00 2001 From: Hassan Baker Date: Fri, 31 Oct 2025 12:50:51 +0000 Subject: [PATCH 2/2] add trivy ignore --- scripts/trivy/.trivyignore.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 scripts/trivy/.trivyignore.yml diff --git a/scripts/trivy/.trivyignore.yml b/scripts/trivy/.trivyignore.yml new file mode 100644 index 0000000..e69de29