github-workflow-parts/.github/workflows/reusable-terraform-quality.yml at 81f7cd4067a1bc3dad38282b9b1e504c749d96e1 · devpro/github-workflow-parts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Reusable - Terraform validate

on:
  workflow_call:
    inputs:
      job-name:
        description: "Job name"
        type: string
        required: false
        default: "Validate"
      working-directory:
        description: "Working directory"
        type: string
        required: false
        default: "."
      operating-system:
        description: "Operating system executing the runner"
        type: string
        required: false
        default: "ubuntu-latest"

jobs:
  terraform-validate:
    name: ${{ inputs.job-name }}
    runs-on: ${{ inputs.operating-system }}
    defaults:
      run:
        working-directory: ${{ inputs.working-directory }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v6
      - name: Cache Terraform plugins
        uses: actions/cache@v5
        with:
          path: |
            ~/.terraform.d/plugin-cache
          key: terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
      - name: Install terraform
        uses: hashicorp/setup-terraform@v3
      - name: Check Terraform format
        run: terraform fmt -recursive -check
      - name: Terraform Init
        run: terraform init -backend=false
      - name: Terraform Validate
        run: terraform validate
      # Checkov is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages (ref. https://github.com/bridgecrewio/checkov)
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@v12
        with:
          soft_fail: true
          output_format: cli,sarif
          output_file_path: console,results.sarif
          # quiet: true
          # directory: .
          # framework: terraform kubernetes helm
      # needs GitHub code security > code scanning, not available on private repos
      # - name: Upload SARIF file
      #   uses: github/codeql-action/upload-sarif@v3
      #   if: success() || failure()
      #   with:
      #     sarif_file: results.sarif
      - name: Upload SARIF as artifact
        uses: actions/upload-artifact@v6
        if: always()
        with:
          name: checkov-sarif-results
          path: results.sarif
          retention-days: 14
      # TFLint is a pluggable terraform linter (ref. https://github.com/terraform-linters/tflint)
      - name: Cache TFLint plugins
        uses: actions/cache@v5
        with:
          path: ~/.tflint.d/plugins
          key: tflint-${{ hashFiles('**/.tflint.hcl') }}
      - name: Setup TFLint
        uses: terraform-linters/setup-tflint@v6
        with:
          tflint_version: v0.60.0 # ref. https://github.com/terraform-linters/tflint/pkgs/container/tflint
      - name: Initialize TFLint
        run: tflint --init --recursive
        env:
          GITHUB_TOKEN: ${{ github.token }} # ref. https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
      - name: Run TFLint
        run: tflint --recursive --format compact
      - name: Run Trivy IaC scan
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1    # v0.35.0
        with:
          scan-type: "config"
          format: "sarif"
          output: "trivy-results.sarif"
          ignore-unfixed: true
          severity: "HIGH,CRITICAL"
    env:
      TF_IN_AUTOMATION: true