add checkov

Author: florenciacomuzzi

.github/workflows/terraform.yml

@@ -85,6 +85,33 @@ jobs:
      - name: Run TFLint
        run: tflint -f compact --recursive --minimum-failure-severity=error
 
+ scan:
+   permissions:
+     contents: read # for actions/checkout to fetch code
+     security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+   runs-on: ubuntu-latest
+   name: "checkov"
+   steps:
+     - uses: actions/checkout@v3
+
+     - name: Checkov GitHub Action
+       uses: bridgecrewio/checkov-action@v12
+       with:
+         # This will add both a CLI output to the console and create a results.sarif file
+         output_format: cli,sarif
+         output_file_path: console,results.sarif
+
+     - name: Upload SARIF file
+       uses: github/codeql-action/upload-sarif@v2
+       # Results are generated only on a success or failure
+       # this is required since GitHub by default won't run the next step
+       # when the previous one has failed. Security checks that do not pass will 'fail'.
+       # An alternative is to add `continue-on-error: true` to the previous step
+       # Or 'soft_fail: true' to checkov.
+       if: success() || failure()
+       with:
+         sarif_file: results.sarif
+
  terraform:
    name: "Terraform"
    runs-on: ubuntu-latest