From b946e9102f7660ae1e5bb02a09d154916d71de3b Mon Sep 17 00:00:00 2001 From: AtozPrasad Date: Wed, 22 Oct 2025 17:45:52 +0200 Subject: [PATCH 1/4] Add Checkov GitHub Action configuration --- checkov.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 checkov.yaml diff --git a/checkov.yaml b/checkov.yaml new file mode 100644 index 000000000..00e3ec636 --- /dev/null +++ b/checkov.yaml @@ -0,0 +1,32 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v3 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif From d720c8667b9b52a23e538fb5effffa6d08fe7a22 Mon Sep 17 00:00:00 2001 From: AtozPrasad Date: Wed, 22 Oct 2025 17:47:50 +0200 Subject: [PATCH 2/4] Add GitHub Actions workflow for Checkov scanning --- .github/workflows/main.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 000000000..00e3ec636 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,32 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v3 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif From bdb568a7559eb49a994f83e6dbb72fa0944ad541 Mon Sep 17 00:00:00 2001 From: AtozPrasad Date: Wed, 22 Oct 2025 18:17:09 +0200 Subject: [PATCH 3/4] Create gcs.tf --- code/build/gcs.tf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 code/build/gcs.tf diff --git a/code/build/gcs.tf b/code/build/gcs.tf new file mode 100644 index 000000000..536dba26f --- /dev/null +++ b/code/build/gcs.tf @@ -0,0 +1,21 @@ +provider "google" { + project = "qwiklabs-gcp-02-8624879fd393" + region = "us-central1" +} + +resource "google_storage_bucket" "example" { + name = "demo-${random_id.rand_suffix.hex}" + location = "us-central1" + force_destroy = true + + uniform_bucket_level_access = false + public_access_prevention = "enforced" +} + +resource "random_id" "rand_suffix" { + byte_length = 4 +} + +output "bucket_name" { + value = google_storage_bucket.example.name +} From db255c20c48b6885d479570dd479ea7bde1c0ffa Mon Sep 17 00:00:00 2001 From: AtozPrasad Date: Wed, 22 Oct 2025 18:21:15 +0200 Subject: [PATCH 4/4] Update gcs.tf