OPSEXP-2500 Switch to checkov action (#220)

Alfresco · Feb 13, 2024 · 4527354 · 4527354
1 parent eaef0ed
commit 4527354
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 21 deletions.
diff --git a/.checkov-values.yml b/.checkov-values.yml
@@ -14,19 +14,43 @@ global:
     sharedsecret: dummy
 repository:
   sharedSecret: dummy
+  host: dummy
+  port: 8080
+
 
-# alfresco-search-enterprise
 elasticsearch:
   enabled: true
 messageBroker:
   url: amqp://something
+  user: admin
+  username: admin
+  password: dummy
+database:
+  username: postgres
+  password: dummy
+  url: jdbc:postgresql://hostname:5432/database
+
 reindexing:
   db:
     url: jdbc://something
   repository:
     url: http://something
+
 search:
   url: es://something
+
 ats:
   transform_url: http://transform
   sfs_url: http://sfs
+
+sfs:
+  url: http://sfs
+
+aws:
+  accessKeyId: dummy
+  secretAccessKey: dummy
+
+microsoft:
+  app:
+    id: dummy
+    password: dummy
diff --git a/.checkov.yml b/.checkov.yml
@@ -2,18 +2,15 @@ framework:
   - helm
 directory:
   - charts
-skip-path:
-  - charts/[^/]+/ci/
 skip-check:
-  - CKV_K8S_15
-  - CKV_K8S_21
-  - CKV_K8S_22
-  - CKV_K8S_31
-  - CKV_K8S_35
-  - CKV_K8S_38
-  - CKV_K8S_43
+  - CKV_K8S_15 # "Image Pull Policy should be Always"
+  - CKV_K8S_21 # "The default namespace should not be used"
+  - CKV_K8S_22 # "Use read-only filesystem for containers where possible"
+  - CKV_K8S_31 # "Ensure that the seccomp profile is set to docker/default or runtime/default"
+  - CKV_K8S_35 # "Prefer using secrets as files over secrets as environment variables"
+  - CKV_K8S_38 # "Ensure that Service Account Tokens are only mounted where necessary"
+  - CKV_K8S_43 # "Image should use digest"
 var-file: .checkov-values.yml
 skip-path:
+  - charts/[^/]+/ci/
   - charts/alfresco-common
-  - charts/postgresql
-  - charts/elasticsearch
diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
@@ -0,0 +1,33 @@
+name: checkov
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run checkov
+        uses: bridgecrewio/checkov-action@d01b2bab9580b88f841e0207ddbc90de6930e4d0 # v12.2672.0
+        with:
+          config_file: .checkov.yml
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          skip_download: true # Do not download any data from Bridgecrew's servers
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,15 +14,6 @@ repos:
     rev: v1.11.3
     hooks:
       - id: helm-docs
-  - repo: https://github.com/bridgecrewio/checkov.git
-    rev: 3.1.51
-    hooks:
-      - id: checkov
-        files: charts/.*\.yaml$
-        verbose: true
-        args:
-          - --quiet
-          - --compact
   - repo: https://github.com/jtyr/kubeconform-helm
     rev: v0.1.16
     hooks: