deploy.yml

name: static-anlysis

on:
  push:
    branches: [ main ]
  pull_request:
  workflow_dispatch:

jobs:
  static-analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run Analysis
        uses: ministryofjustice/github-actions/terraform-static-analysis@main
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          scan_type: changed
          tfsec_exclude: AWS095
          tflint_config: $(realpath .tflint.hcl)
          tfsec_output_file: tfsec.sarif
          tfsec_output_format: sarif
          checkov_external_modules: true
          checkov_exclude: CKV_TF_1,CKV_AWS_136,CKV_AWS_51,CKV_GIT_4,CKV_AWS_23,CKV_AWS_118,CKV_AWS_293,CKV_AWS_157,CKV_AWS_129,CKV_AWS_354,CKV_AWS_133,CKV_AWS_353,CKV_AWS_16,CKV_AWS_211,CKV2_AWS_64
          tflint_exclude: terraform_standard_module_structure