From 09efe34604b8c2d76a40dcb2cfce2bbc2a15d568 Mon Sep 17 00:00:00 2001 From: SaubhagyaDeep <91832218+SaubhagyaDeep@users.noreply.github.com> Date: Wed, 17 Sep 2025 21:25:06 +0530 Subject: [PATCH 1/5] Create main.yml --- .github/workflows/main.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 000000000..00e3ec636 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,32 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v3 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif From 9d06f3b3c1de84173c788e27571c7ef7c762c0e8 Mon Sep 17 00:00:00 2001 From: Saubhagya Deep Date: Thu, 23 Oct 2025 20:08:59 +0530 Subject: [PATCH 2/5] test: Terraform GCP sample with intentional misconfigs --- code/main.tf | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 code/main.tf diff --git a/code/main.tf b/code/main.tf new file mode 100644 index 000000000..031d4d635 --- /dev/null +++ b/code/main.tf @@ -0,0 +1,31 @@ +terraform { + required_version = ">= 1.3.0" + required_providers { + google = { + source = "hashicorp/google" + version = "~> 5.0" + } + } +} + +provider "google" { + project = "demo-project-id" # placeholder; not used by Checkov + region = "us-central1" +} + +# Deliberately misconfigured GCS bucket to trigger findings: +# - uniform_bucket_level_access = false (bad) +# - public IAM member (bad) +resource "google_storage_bucket" "bad_bucket" { + name = "demo-checkov-bad-bucket-12345" + location = "US" + force_destroy = true + uniform_bucket_level_access = false # Checkov should flag CKV_GCP_31 +} + +resource "google_storage_bucket_iam_member" "public_reader" { + bucket = google_storage_bucket.bad_bucket.name + role = "roles/storage.objectViewer" + member = "allUsers" # Checkov should flag public access +} + From 8733b37bff2c528a77e86e498b0917fadd994d31 Mon Sep 17 00:00:00 2001 From: Saubhagya Deep Date: Thu, 23 Oct 2025 20:10:19 +0530 Subject: [PATCH 3/5] chore(checkov): repo defaults (monitor mode) --- .checkov.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .checkov.yaml diff --git a/.checkov.yaml b/.checkov.yaml new file mode 100644 index 000000000..b1fee5353 --- /dev/null +++ b/.checkov.yaml @@ -0,0 +1,14 @@ +framework: terraform +download_external_modules: true +evaluate_variables: true +var_files: + - "*.tfvars" + +skip_path: + - "**/.terraform/*" + - "**/examples/**" + - "**/test/**" + +soft_fail: true # monitor mode +quiet: true + From b3e4b4280c0b89a17adf289667c2aef9628c6ce7 Mon Sep 17 00:00:00 2001 From: Saubhagya Deep Date: Thu, 23 Oct 2025 20:11:28 +0530 Subject: [PATCH 4/5] ci(checkov): add monitor-mode scanning and SARIF upload --- .github/workflows/checkov.yml | 82 +++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/checkov.yml diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml new file mode 100644 index 000000000..83952e35b --- /dev/null +++ b/.github/workflows/checkov.yml @@ -0,0 +1,82 @@ +name: Terraform Security (Checkov) + +on: + pull_request: + branches: [ main, master ] + paths: + - '**/*.tf' + - '**/*.tfvars' + - '**/terraform.lock.hcl' + - '.checkov.yaml' + push: + branches: [ main, master ] + paths: + - '**/*.tf' + - '**/*.tfvars' + - '**/terraform.lock.hcl' + - '.checkov.yaml' + +permissions: + contents: read + security-events: write # needed for SARIF upload (PR annotations / Code scanning) + actions: read + +concurrency: + group: checkov-${{ github.ref }} + cancel-in-progress: false + +jobs: + checkov: + runs-on: ubuntu-latest + timeout-minutes: 15 + + steps: + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install Checkov + run: pip install --upgrade checkov + + - name: Run Checkov (monitor mode) + continue-on-error: true + run: | + mkdir -p results + checkov \ + --directory . \ + --framework terraform \ + --download-external-modules true \ + --output sarif \ + --output-file-path results/checkov.sarif \ + --quiet \ + --soft-fail true + + - name: Upload SARIF to GitHub Code Scanning + # If your repo is private and doesn't have Advanced Security, + # this step may fail; the job stays green thanks to continue-on-error above. + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results/checkov.sarif + category: checkov + + - name: Emit human-friendly text report (non-blocking) + continue-on-error: true + run: | + checkov \ + --directory . \ + --framework terraform \ + --download-external-modules true \ + --output cli \ + --quiet \ + --soft-fail true | tee checkov.txt + + - name: Upload text artifact + uses: actions/upload-artifact@v4 + with: + name: checkov-cli-report + path: checkov.txt + From 797b1f591b8b9c70f65dcb1ef53b60b21e02dd5d Mon Sep 17 00:00:00 2001 From: Saubhagya Deep Date: Thu, 23 Oct 2025 20:13:13 +0530 Subject: [PATCH 5/5] test: trigger checkov on PR --- main.tf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 main.tf diff --git a/main.tf b/main.tf new file mode 100644 index 000000000..aab5fa478 --- /dev/null +++ b/main.tf @@ -0,0 +1,2 @@ + +# tiny change