updated workflows

Author: codebytes

.github/workflows/checkov.yml

@@ -1,3 +1,4 @@
+name: checkov
 on: [push]
 jobs:
   checkov-job:
@@ -11,18 +12,23 @@ jobs:
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
-          directory: demos/
-          file: #example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
-          check: #CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
-          skip_check: #CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
+          #directory: example/
+          #file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
+          #check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
+          #skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
           quiet: true # optional: display only failed checks
-          soft_fail: false # optional: do not return an error code if there are failed checks
+          soft_fail: true # optional: do not return an error code if there are failed checks
           framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
-          output_format: junitxml # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
-            #output_file_path: reports/results.sarif # folder and name of results file
+          output_format: junitxml #sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
+          output_file_path: reports/ # folder and name of results file
           download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
-            #var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
-            #log_level: DEBUG # optional: set log level. Default WARNING
-            #config_file: path/this_file
-            #baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
+          #var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
+          #log_level: DEBUG # optional: set log level. Default WARNING
+          #config_file: path/this_file
+          #baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
           container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        if: always()
+        with:
+          junit_files: "reports/**/*.xml"

.github/workflows/terrascan.yml

@@ -12,14 +12,14 @@ jobs:
       uses: tenable/terrascan-action@main
       with:
         iac_type: 'terraform'
-        iac_version: 'v14'
+        #iac_version: 'v14'
         policy_type: 'azure'
         only_warn: true
         #scm_token: ${{ secrets.ACCESS_TOKEN }}
         #verbose: true
         #sarif_upload: true
         #non_recursive:
-        iac_dir: demos
+        #iac_dir: demos
         #policy_path:
         #skip_rules:
         #config_path:

.github/workflows/tfsec.yml

@@ -15,4 +15,10 @@ jobs:
       - name: tfsec
         uses: aquasecurity/[email protected]
         with:
-          additional_args: --force-all-dirs
+          format: junit
+          additional_args: -O results.xml
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        if: always()
+        with:
+          junit_files: "results.xml"