From 9b5e46a217e3c4bcb0377737553d4ce2671afbb7 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 09:55:31 -0600 Subject: [PATCH 01/12] Test PR for CI comment --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 458e379..6a3932a 100644 --- a/README.md +++ b/README.md @@ -192,7 +192,7 @@ docker-ecs-deployment --- -## 📘 Documentation +## Documentation - **Architecture:** [`docs/architecture.md`](docs/architecture.md) - **SLO:** [`docs/slo.md`](docs/slo.md) @@ -472,6 +472,20 @@ Each version runs the full set of format, validation, lint, and security checks. --- +### **CI Updates** + +Terraform CI now adds a short report to GitHub Actions after every run. +The report shows: + +- which Terraform versions were tested +- results of format and validate checks +- results from TFLint, Checkov, and tfsec +- links to detailed logs + +This makes reviewing changes easier and faster. + +--- + ### **Checks Included** - **Formatting** From eac67e76f824c8c1b741280f2096cd91d36973ce Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 09:59:05 -0600 Subject: [PATCH 02/12] Grant PR comment permissions to CI --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad304e3..f5b38d5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,8 @@ env: permissions: id-token: write contents: read + pull-requests: write + issues: write concurrency: group: ci-${{ github.ref }} From e37f32e7f85f3cdafbb5be5d537e8a48933e3f69 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:07:28 -0600 Subject: [PATCH 03/12] Add Terraform CI job summary --- .github/workflows/terraform-ci.yml | 41 ++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 30295b5..04e318f 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -68,6 +68,47 @@ jobs: config_file: .checkov.yml quiet: true + - name: Publish Terraform CI summary + if: ${{ success() }} + run: | + cat << EOF >> "$GITHUB_STEP_SUMMARY" + # Terraform CI Summary + + - Terraform version (matrix): \`${{ matrix.terraform_version }}\` + - Format check: passed + - Init (no backend): passed + - Validate: passed + - TFLint: passed + - Security: tfsec + Checkov passed + + All Terraform checks finished successfully for this run. + EOF + + - name: Comment on PR with Terraform CI result + if: always() + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const conclusion = '${{ job.status }}'; + const symbols = { success: '✅', failure: '❌', cancelled: 'âšĒī¸' }; + const symbol = symbols[conclusion] || 'ℹī¸'; + const body = + `${symbol} Terraform CI finished with status: **${conclusion}**\n\n` + + `Terraform versions tested: 1.6.6, 1.8.5, 1.9.5.\n` + + `See detailed results in the "Checks" tab.`; + const pr = context.payload.pull_request; + if (!pr) { + core.info('No pull_request context, skipping comment.'); + } else { + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: pr.number, + body + }); + } + - name: Comment on PR with Terraform CI result if: always() uses: actions/github-script@v7 From 43a332eba0c4409fb8f956e0697f9c91f34f1ba8 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:17:04 -0600 Subject: [PATCH 04/12] Add Dockerfile lint with hadolint --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f5b38d5..505bf6d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,6 +29,11 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Lint Dockerfile (hadolint) + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: app/Dockerfile + - name: Configure AWS (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: From 09e0e5990ec7d1d47d55c7cedbcb27391bcae803 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:20:08 -0600 Subject: [PATCH 05/12] Enable annotations for Terraform CI --- .github/workflows/terraform-ci.yml | 53 +++++++++++++----------------- 1 file changed, 23 insertions(+), 30 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 04e318f..613fc96 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -12,6 +12,7 @@ on: permissions: contents: read pull-requests: write + security-events: write jobs: terraform-ci: @@ -51,22 +52,39 @@ jobs: with: tflint_version: latest - - name: Run TFLint - run: tflint --recursive - working-directory: infra + - name: Run TFLint (with annotations) + uses: terraform-linters/tflint-pr-commenter-action@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + tflint_command: "tflint --recursive" + directory: "infra" - - name: Run tfsec + - name: Run tfsec (SARIF) uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: infra github_token: ${{ secrets.GITHUB_TOKEN }} + format: sarif + output_file: tfsec.sarif + + - name: Upload tfsec SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: tfsec.sarif - - name: Run Checkov + - name: Run Checkov (SARIF) uses: bridgecrewio/checkov-action@v12 with: directory: infra config_file: .checkov.yml quiet: true + output_format: sarif + output_file_path: checkov.sarif + + - name: Upload Checkov SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: checkov.sarif - name: Publish Terraform CI summary if: ${{ success() }} @@ -108,28 +126,3 @@ jobs: body }); } - - - name: Comment on PR with Terraform CI result - if: always() - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - const conclusion = '${{ job.status }}'; - const symbols = { success: '✅', failure: '❌', cancelled: 'âšĒī¸' }; - const symbol = symbols[conclusion] || 'ℹī¸'; - const body = - `${symbol} Terraform CI finished with status: **${conclusion}**\n\n` + - `Terraform versions tested: 1.6.6, 1.8.5, 1.9.5.\n` + - `See detailed results in the "Checks" tab.`; - const pr = context.payload.pull_request; - if (!pr) { - core.info('No pull_request context, skipping comment.'); - } else { - await github.rest.issues.createComment({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: pr.number, - body - }); - } From d4409c21de2c77de35cafe58eaf4064b56e0ac75 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:22:39 -0600 Subject: [PATCH 06/12] Fix TFLint action and enable annotations --- .github/workflows/terraform-ci.yml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 613fc96..3ff7b8e 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -47,17 +47,13 @@ jobs: run: terraform validate working-directory: infra - - name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 - with: - tflint_version: latest - - - name: Run TFLint (with annotations) - uses: terraform-linters/tflint-pr-commenter-action@v1 + - name: Run TFLint with reviewdog + uses: reviewdog/action-tflint@v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} - tflint_command: "tflint --recursive" - directory: "infra" + working_directory: infra + reporter: github-pr-check + fail_level: any - name: Run tfsec (SARIF) uses: aquasecurity/tfsec-action@v1.0.3 From 948f0818c5e4afa6f87ea2143c30a8ae61830f94 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:28:25 -0600 Subject: [PATCH 07/12] Fix tfsec SARIF and update upload-sarif to v4 --- .github/workflows/terraform-ci.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 3ff7b8e..e7ac3b0 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -56,12 +56,16 @@ jobs: fail_level: any - name: Run tfsec (SARIF) - uses: aquasecurity/tfsec-action@v1.0.3 + uses: aquasecurity/tfsec-sarif-action@v0.1.4 with: + sarif_file: tfsec-${{ matrix.terraform_version }}.sarif working_directory: infra github_token: ${{ secrets.GITHUB_TOKEN }} - format: sarif - output_file: tfsec.sarif + + - name: Upload tfsec SARIF + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: tfsec-${{ matrix.terraform_version }}.sarif - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v3 @@ -78,7 +82,7 @@ jobs: output_file_path: checkov.sarif - name: Upload Checkov SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: checkov.sarif From dcd9a3445b8928063e112bd176bbd1bb1291c10a Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:32:43 -0600 Subject: [PATCH 08/12] Fix tfsec SARIF config --- .github/workflows/terraform-ci.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index e7ac3b0..84bc7ad 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -56,16 +56,15 @@ jobs: fail_level: any - name: Run tfsec (SARIF) - uses: aquasecurity/tfsec-sarif-action@v0.1.4 + uses: aquasecurity/tfsec-sarif-action@v1.0.3 with: - sarif_file: tfsec-${{ matrix.terraform_version }}.sarif working_directory: infra - github_token: ${{ secrets.GITHUB_TOKEN }} + sarif_file: tfsec.sarif - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: tfsec-${{ matrix.terraform_version }}.sarif + sarif_file: tfsec.sarif - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v3 From 7b0a5a725cc534634a344fb6db616992307e0942 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 10:37:02 -0600 Subject: [PATCH 09/12] Fix tfsec action and SARIF upload --- .github/workflows/terraform-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 84bc7ad..e04b252 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -56,10 +56,10 @@ jobs: fail_level: any - name: Run tfsec (SARIF) - uses: aquasecurity/tfsec-sarif-action@v1.0.3 + uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: infra - sarif_file: tfsec.sarif + additional_args: --out tfsec.sarif --format sarif - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v4 From 130d1426796bbe80193fed3821be7afc15ca8ff4 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 11:22:30 -0600 Subject: [PATCH 10/12] Set SARIF categories and GITHUB_TOKEN for Terraform CI --- .github/workflows/terraform-ci.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index e04b252..45fb1c0 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -17,6 +17,8 @@ permissions: jobs: terraform-ci: runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: fail-fast: false @@ -55,16 +57,17 @@ jobs: reporter: github-pr-check fail_level: any - - name: Run tfsec (SARIF) - uses: aquasecurity/tfsec-action@v1.0.3 - with: - working_directory: infra - additional_args: --out tfsec.sarif --format sarif - - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v4 with: sarif_file: tfsec.sarif + category: tfsec-${{ matrix.terraform_version }} + + - name: Upload Checkov SARIF + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: checkov.sarif + category: checkov-${{ matrix.terraform_version }} - name: Upload tfsec SARIF uses: github/codeql-action/upload-sarif@v3 From adc55730b4c83a1a59d2d2aceccba403fbcb84e6 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 11:26:38 -0600 Subject: [PATCH 11/12] Clean up Terraform CI and fix tfsec/Checkov SARIF --- .github/workflows/terraform-ci.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 45fb1c0..da75a63 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -57,22 +57,17 @@ jobs: reporter: github-pr-check fail_level: any - - name: Upload tfsec SARIF - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: tfsec.sarif - category: tfsec-${{ matrix.terraform_version }} - - - name: Upload Checkov SARIF - uses: github/codeql-action/upload-sarif@v4 + - name: Run tfsec (SARIF) + uses: aquasecurity/tfsec-action@v1.0.3 with: - sarif_file: checkov.sarif - category: checkov-${{ matrix.terraform_version }} + working_directory: infra + additional_args: --out tfsec.sarif --format sarif - name: Upload tfsec SARIF - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: - sarif_file: tfsec.sarif + sarif_file: infra/tfsec.sarif + category: tfsec-${{ matrix.terraform_version }} - name: Run Checkov (SARIF) uses: bridgecrewio/checkov-action@v12 @@ -87,6 +82,7 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: checkov.sarif + category: checkov-${{ matrix.terraform_version }} - name: Publish Terraform CI summary if: ${{ success() }} From ee51e880be5bc8d7732d800c10d79fa7969f80c1 Mon Sep 17 00:00:00 2001 From: Ruslan Dashkin Date: Wed, 10 Dec 2025 11:29:34 -0600 Subject: [PATCH 12/12] Simplify Terraform CI and rely on built-in tfsec annotations --- .github/workflows/terraform-ci.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index da75a63..96e57fe 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -57,17 +57,11 @@ jobs: reporter: github-pr-check fail_level: any - - name: Run tfsec (SARIF) + - name: Run tfsec uses: aquasecurity/tfsec-action@v1.0.3 with: working_directory: infra - additional_args: --out tfsec.sarif --format sarif - - - name: Upload tfsec SARIF - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: infra/tfsec.sarif - category: tfsec-${{ matrix.terraform_version }} + github_token: ${{ secrets.GITHUB_TOKEN }} - name: Run Checkov (SARIF) uses: bridgecrewio/checkov-action@v12