diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad304e3..505bf6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,8 @@ env: permissions: id-token: write contents: read + pull-requests: write + issues: write concurrency: group: ci-${{ github.ref }} @@ -27,6 +29,11 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Lint Dockerfile (hadolint) + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: app/Dockerfile + - name: Configure AWS (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 30295b5..96e57fe 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -12,10 +12,13 @@ on: permissions: contents: read pull-requests: write + security-events: write jobs: terraform-ci: runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: fail-fast: false @@ -46,14 +49,13 @@ jobs: run: terraform validate working-directory: infra - - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 + - name: Run TFLint with reviewdog + uses: reviewdog/action-tflint@v1 with: - tflint_version: latest - - - name: Run TFLint - run: tflint --recursive - working-directory: infra + github_token: ${{ secrets.GITHUB_TOKEN }} + working_directory: infra + reporter: github-pr-check + fail_level: any - name: Run tfsec uses: aquasecurity/tfsec-action@v1.0.3 @@ -61,12 +63,36 @@ jobs: working_directory: infra github_token: ${{ secrets.GITHUB_TOKEN }} - - name: Run Checkov + - name: Run Checkov (SARIF) uses: bridgecrewio/checkov-action@v12 with: directory: infra config_file: .checkov.yml quiet: true + output_format: sarif + output_file_path: checkov.sarif + + - name: Upload Checkov SARIF + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: checkov.sarif + category: checkov-${{ matrix.terraform_version }} + + - name: Publish Terraform CI summary + if: ${{ success() }} + run: | + cat << EOF >> "$GITHUB_STEP_SUMMARY" + # Terraform CI Summary + + - Terraform version (matrix): \`${{ matrix.terraform_version }}\` + - Format check: passed + - Init (no backend): passed + - Validate: passed + - TFLint: passed + - Security: tfsec + Checkov passed + + All Terraform checks finished successfully for this run. + EOF - name: Comment on PR with Terraform CI result if: always() diff --git a/README.md b/README.md index 458e379..6a3932a 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ docker-ecs-deployment --- -## 📘 Documentation +## Documentation - **Architecture:** [`docs/architecture.md`](docs/architecture.md) - **SLO:** [`docs/slo.md`](docs/slo.md) @@ -472,6 +472,20 @@ Each version runs the full set of format, validation, lint, and security checks. --- +### **CI Updates** + +Terraform CI now adds a short report to GitHub Actions after every run. +The report shows: + +- which Terraform versions were tested +- results of format and validate checks +- results from TFLint, Checkov, and tfsec +- links to detailed logs + +This makes reviewing changes easier and faster. + +--- + ### **Checks Included** - **Formatting**