From 8bc2a016567855c6f34318e9a6ce1ee17d18462b Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Mon, 13 May 2024 08:12:06 +0200 Subject: [PATCH 1/3] fix: vault secrets Signed-off-by: Martin Buchleitner --- .github/workflows/changelog.yml | 2 +- .github/workflows/pr-valid.yml | 2 +- .../workflows/terraform-analyse/action.yml | 50 +++++++++++++++++++ .github/workflows/terratest.yml | 32 ++++++++++++ .github/workflows/tf-analyise.yml | 36 +++++++++++++ 5 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/terraform-analyse/action.yml create mode 100644 .github/workflows/terratest.yml create mode 100644 .github/workflows/tf-analyise.yml diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 0e9b0a4..0501e53 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -11,4 +11,4 @@ jobs: changelog-automation: uses: ./.github/workflows/changelog-automation.yml secrets: - BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }} + BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}" diff --git a/.github/workflows/pr-valid.yml b/.github/workflows/pr-valid.yml index 32894d0..e74ff2b 100644 --- a/.github/workflows/pr-valid.yml +++ b/.github/workflows/pr-valid.yml @@ -21,4 +21,4 @@ jobs: pr-validation: uses: ./.github/workflows/pr-validation.yml secrets: - BOT_ACCESS_TOKEN: ${{ secrets.BOT_ACCESS_TOKEN }} + BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}" diff --git a/.github/workflows/terraform-analyse/action.yml b/.github/workflows/terraform-analyse/action.yml new file mode 100644 index 0000000..5badc72 --- /dev/null +++ b/.github/workflows/terraform-analyse/action.yml @@ -0,0 +1,50 @@ +--- + +name: 'Terraform Analyse' +description: 'analyse terraform code' +inputs: + tfdir: + description: 'Directory to scan' + required: true + default: '.' + mondoo_service_account: + description: 'Mondoo service account bas64 encoded' + required: true + default: '' +outputs: {} +runs: + using: "composite" + steps: + - name: mondoo terraform hcl scan + uses: mondoohq/actions/terraform-hcl@v11.0.0 + if: always() + env: + MONDOO_CONFIG_BASE64: ${{ inputs.mondoo_service_account }} + with: + path: ${{ inputs.tfdir }} + output: 'summary' + + - name: kics scan + uses: checkmarx/kics-github-action@v2 + if: always() + with: + path: ${{ inputs.tfdir }} + output_formats: "json" + + - name: trivy scan + uses: aquasecurity/trivy-action@master + if: always() + with: + scan-type: 'fs' + scan-ref: ${{ inputs.tfdir }} + scanners: 'vuln,misconfig' + format: 'table' + + - name: checkov scan + uses: bridgecrewio/checkov-action@v12 + if: always() + with: + directory: ${{ inputs.tfdir }} + output_format: cli,sarif + quiet: false + skip_path: 'policies' # incorrect hcl handling in checkov diff --git a/.github/workflows/terratest.yml b/.github/workflows/terratest.yml new file mode 100644 index 0000000..1a0ed5e --- /dev/null +++ b/.github/workflows/terratest.yml @@ -0,0 +1,32 @@ +--- +name: Analyze Terraform + +on: + workflow_call: + inputs: + tfdir: + description: 'Terraform directory to analyze' + required: true + default: '.' + type: string + +jobs: + + terratest: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check if ${{ inputs.tfdir }} changed + id: detect + uses: tj-actions/changed-files@v44 + with: + path: ${{ inputs.tfdir }} + + - name: Run Terratest + uses: cloudposse/github-action-terratest@main + if: steps.detect.outputs.all_changed_files != '' || github.event_name == 'workflow_dispatch' + with: + sourceDir: ${{ inputs.tfdir }} diff --git a/.github/workflows/tf-analyise.yml b/.github/workflows/tf-analyise.yml new file mode 100644 index 0000000..670a095 --- /dev/null +++ b/.github/workflows/tf-analyise.yml @@ -0,0 +1,36 @@ +--- +name: Analyze Terraform + +on: + workflow_call: + inputs: + tfdir: + description: 'Terraform directory to analyze' + required: true + default: '.' + type: string + secrets: + MONDOO_SERVICE_ACCOUNT: + description: 'Mondoo Service Account' + required: true +jobs: + + analyze_tf: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check if ${{ inputs.tfdir }} changed + id: detect + uses: tj-actions/changed-files@v44 + with: + path: ${{ inputs.tfdir }} + + - name: run terraform anlysis + if: ( steps.detect.outputs.all_changed_files != '' && always() ) || ( github.event_name == 'workflow_dispatch' && always() ) + uses: ./.github/workflows/terraform-analyse + with: + tfdir: ${{ inputs.tfdir }} + mondoo_service_account: ${{ secrets.MONDOO_SERVICE_ACCOUNT }} From 18647121436e534469fbfa5ce89787be19c9c815 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Mon, 13 May 2024 08:53:53 +0200 Subject: [PATCH 2/3] fix: refs to secrets are passed not inherited Signed-off-by: Martin Buchleitner --- .github/workflows/changelog-automation.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/changelog-automation.yml b/.github/workflows/changelog-automation.yml index d9c3476..a253e28 100644 --- a/.github/workflows/changelog-automation.yml +++ b/.github/workflows/changelog-automation.yml @@ -8,14 +8,15 @@ on: description: 'The GitHub token for the bot account' required: true - jobs: prebuild: uses: ./.github/workflows/pre-commit.yml - secrets: inherit + secrets: + BOT_ACCESS_TOKEN: secrets.BOT_ACCESS_TOKEN release: needs: [ prebuild ] if: github.event_name != 'pull_request' uses: ./.github/workflows/release.yml - secrets: inherit + secrets: + BOT_ACCESS_TOKEN: secrets.BOT_ACCESS_TOKEN From 536488fabd8cd711c2ca4826ab9300e5e44c3837 Mon Sep 17 00:00:00 2001 From: Martin Buchleitner Date: Mon, 13 May 2024 08:57:35 +0200 Subject: [PATCH 3/3] fix: update changelog ref Signed-off-by: Martin Buchleitner --- .github/workflows/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml index 0501e53..085adb4 100644 --- a/.github/workflows/changelog.yml +++ b/.github/workflows/changelog.yml @@ -9,6 +9,6 @@ on: jobs: changelog-automation: - uses: ./.github/workflows/changelog-automation.yml + uses: infralovers/.github/.github/workflows/changelog-automation.yml@main secrets: BOT_ACCESS_TOKEN: "${{ fromJSON(secrets.VAULT_KV_1D187965_OP_GITHUB_INFRALOVERS).PAT }}"