From a686fc7872d250b414f61667e449fd3aaf2a89c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 16:59:49 -0300
Subject: [PATCH 1/8] DNX-One #99
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Include Checkov in our modules

 - CKV2_GHA_1: Ensure top-level permissions are not set to write-all

Co-authored-by: Alexandre Mont'Alvão <alexandrealvao@gmail.com>
---
 .github/workflows/auto-release.yml  | 2 ++
 .github/workflows/docs.yml          | 3 +++
 .github/workflows/documentation.yml | 2 ++
 .github/workflows/lint.yml          | 2 ++
 4 files changed, 9 insertions(+)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 8429189..3159748 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index aa6728a..866c0a3 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,6 +1,9 @@
 name: Generate terraform docs
 
 on: [pull_request]
+
+permissions: read-all
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index ea79893..0891011 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   docs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 3c1dbb0..0797eff 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -2,6 +2,8 @@ name: Lint
 
 on: [push]
 
+permissions: read-all
+
 jobs:
   tflint:
     name: Lint

From d9804ec6e676be674cced9be75f93c3281a4ac7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:02:47 -0300
Subject: [PATCH 2/8] DNX-One #99
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Include Checkov in our modules

 - Integrate Checkov with the pipeline.

Co-authored-by: Alexandre Mont'Alvão <alexandrealvao@gmail.com>
---
 .github/workflows/scan.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000..81fb1c3
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,20 @@
+name: Checkov
+
+on: [push]
+
+permissions: read-all
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          framework: terraform
+          quiet: true
+          soft_fail: true
\ No newline at end of file

From cba3ec537fc3a1a0a23331742bd15745acb6af3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:10:21 -0300
Subject: [PATCH 3/8] remove soft-fail from checkov

---
 .github/workflows/scan.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 81fb1c3..8aacc7a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -16,5 +16,4 @@ jobs:
         with:
           directory: .
           framework: terraform
-          quiet: true
-          soft_fail: true
\ No newline at end of file
+          quiet: true
\ No newline at end of file

From cccc0977bcc91ce44728f0a5de050041f95c02b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:11:38 -0300
Subject: [PATCH 4/8] change the workflow name to scan

---
 .github/workflows/scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 8aacc7a..e428c0a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -1,4 +1,4 @@
-name: Checkov
+name: Scan
 
 on: [push]
 

From 89f33f71c9491edaaca5381074c4f59022c1be4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:13:15 -0300
Subject: [PATCH 5/8] remove quiet parameter from checkov

---
 .github/workflows/scan.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e428c0a..30bbcb2 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -15,5 +15,4 @@ jobs:
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
-          framework: terraform
-          quiet: true
\ No newline at end of file
+          framework: terraform
\ No newline at end of file

From 47ab89962de900e9c76b8d7dff6f27ff3b9abec5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:17:23 -0300
Subject: [PATCH 6/8] change output parameter from checkov

---
 .github/workflows/scan.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 30bbcb2..e6f18ee 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -15,4 +15,5 @@ jobs:
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
-          framework: terraform
\ No newline at end of file
+          framework: terraform
+          output_format: cli
\ No newline at end of file

From bd80d9219eed6112df88b264dc2a906bccdebb12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:18:59 -0300
Subject: [PATCH 7/8] simulate error

---
 .github/workflows/scan.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e6f18ee..b015c8f 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -2,8 +2,6 @@ name: Scan
 
 on: [push]
 
-permissions: read-all
-
 jobs:
   scan:
     runs-on: ubuntu-latest
@@ -15,5 +13,4 @@ jobs:
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: .
-          framework: terraform
-          output_format: cli
\ No newline at end of file
+          framework: terraform
\ No newline at end of file

From ccec99d628f7b51e9dd40ded013f1e962798657c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexandre=20Mont=27Alv=C3=A3o?=
 <alexandre.alvao@dnx.solutions>
Date: Mon, 15 May 2023 17:29:05 -0300
Subject: [PATCH 8/8] remove simulate error

---
 .github/workflows/scan.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index b015c8f..30bbcb2 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -2,6 +2,8 @@ name: Scan
 
 on: [push]
 
+permissions: read-all
+
 jobs:
   scan:
     runs-on: ubuntu-latest