|
13 | 13 | TF_LOG: INFO |
14 | 14 |
|
15 | 15 | jobs: |
| 16 | + generate-sbom: |
| 17 | + runs-on: ubuntu-latest |
| 18 | + name: "Trivy" |
| 19 | + permissions: |
| 20 | + contents: write # Required for modifying files |
| 21 | + steps: |
| 22 | + - name: Checkout code |
| 23 | + uses: actions/checkout@v4 |
| 24 | + |
| 25 | + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph |
| 26 | + uses: aquasecurity/trivy-action@0.28.0 |
| 27 | + with: |
| 28 | + scan-type: 'fs' |
| 29 | + format: 'github' |
| 30 | + output: 'dependency-results.sbom.json' |
| 31 | + image-ref: '.' |
| 32 | + github-pat: ${{ secrets.GITHUB_TOKEN }} |
| 33 | + |
| 34 | + terrascan: |
| 35 | + runs-on: ubuntu-latest |
| 36 | + name: "Terrascan" |
| 37 | + permissions: |
| 38 | + contents: write # Required for modifying files |
| 39 | + security-events: write # Required to upload sarif |
| 40 | + steps: |
| 41 | + - name: Checkout code |
| 42 | + uses: actions/checkout@v4 |
| 43 | + |
| 44 | + - name: Run Terrascan |
| 45 | + id: terrascan |
| 46 | + uses: tenable/terrascan-action@main |
| 47 | + with: |
| 48 | + iac_type: 'terraform' |
| 49 | + iac_version: 'v14' |
| 50 | + only_warn: true |
| 51 | + sarif_upload: true |
| 52 | + |
| 53 | + - name: Upload SARIF file |
| 54 | + uses: github/codeql-action/upload-sarif@v3 |
| 55 | + with: |
| 56 | + sarif_file: terrascan.sarif |
| 57 | + |
16 | 58 | terraform: |
17 | 59 | name: "Terraform CICD" |
18 | 60 | runs-on: ubuntu-latest |
19 | 61 | permissions: |
20 | 62 | pull-requests: write # Required for creating or updating PRs |
21 | | - contents: write # Required for modifying files (if applicable) |
22 | | - security-events: write # Required to upload sarif |
| 63 | + contents: write # Required for modifying files |
23 | 64 | defaults: |
24 | 65 | run: |
25 | 66 | shell: bash |
@@ -97,20 +138,6 @@ jobs: |
97 | 138 | - name: Run TFLint |
98 | 139 | run: tflint -f compact --recursive --minimum-failure-severity=error |
99 | 140 |
|
100 | | - - name: Run Terrascan |
101 | | - id: terrascan |
102 | | - uses: tenable/terrascan-action@main |
103 | | - with: |
104 | | - iac_type: 'terraform' |
105 | | - iac_version: 'v14' |
106 | | - only_warn: true |
107 | | - sarif_upload: true |
108 | | - |
109 | | - - name: Upload SARIF file |
110 | | - uses: github/codeql-action/upload-sarif@v3 |
111 | | - with: |
112 | | - sarif_file: terrascan.sarif |
113 | | - |
114 | 141 | - name: Terraform plan [pull_request] |
115 | 142 | id: plan-pr |
116 | 143 | if: github.event_name == 'pull_request' |
|
0 commit comments