name: Checkov IaC Security Scan on: workflow_dispatch: workflow_call: # Called by release-gate.yml permissions: {} # Minimal top-level for OSSF Scorecard Token-Permissions jobs: checkov: runs-on: ubuntu-latest timeout-minutes: 10 permissions: contents: read security-events: write steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Set up Python uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' - name: Install Checkov run: pip install checkov==3.2.499 # Reverted to CLI approach due to known bug in bridgecrewio/checkov-action # when running multiple consecutive action calls (heredoc delimiter overflow) # See: https://github.com/bridgecrewio/checkov-action/issues/170 # See: https://github.com/bridgecrewio/checkov/issues/5866 - name: Run Checkov on Dockerfile run: | checkov -f Dockerfile \ --framework dockerfile \ --skip-check CKV_DOCKER_3 \ -o cli -o sarif \ --output-file-path console,checkov-docker.sarif - name: Run Checkov on docker-compose files run: | checkov \ -f docker-compose.yml \ -f docker-compose.gpu.override.yml \ -f docker-compose.tts.yml \ -f docker-compose.unraid.yml \ --framework yaml \ -o cli -o sarif \ --output-file-path console,checkov-compose.sarif - name: Run Checkov on GitHub Actions workflows run: | checkov -d .github/workflows \ --framework github_actions \ --skip-check CKV_GHA_7 \ -o cli -o sarif \ --output-file-path console,checkov-workflows.sarif - name: Check SARIF files exist id: check-sarif if: always() run: | [ -f checkov-docker.sarif ] && echo "docker=true" >> "$GITHUB_OUTPUT" [ -f checkov-compose.sarif ] && echo "compose=true" >> "$GITHUB_OUTPUT" [ -f checkov-workflows.sarif ] && echo "workflows=true" >> "$GITHUB_OUTPUT" - name: Upload Dockerfile SARIF results if: always() && steps.check-sarif.outputs.docker == 'true' uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: checkov-docker.sarif category: checkov-dockerfile - name: Upload docker-compose SARIF results if: always() && steps.check-sarif.outputs.compose == 'true' uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: checkov-compose.sarif category: checkov-compose - name: Upload GitHub Actions SARIF results if: always() && steps.check-sarif.outputs.workflows == 'true' uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: checkov-workflows.sarif category: checkov-workflows - name: Summary if: always() run: | echo "=== Checkov IaC Security Scan Summary ===" echo "SARIF results uploaded to GitHub Security tab" echo "Scan completed (strict mode - failures block CI)"