rusets · rusets · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,8 @@ env:
 permissions:
   id-token: write
   contents: read
+  pull-requests: write
+  issues: write
 
 concurrency:
   group: ci-${{ github.ref }}
@@ -27,6 +29,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Lint Dockerfile (hadolint)
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: app/Dockerfile
+
       - name: Configure AWS (OIDC)
         uses: aws-actions/configure-aws-credentials@v4
         with:

diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
@@ -12,10 +12,13 @@ on:
 permissions:
   contents: read
   pull-requests: write
+  security-events: write
 
 jobs:
   terraform-ci:
     runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     strategy:
       fail-fast: false
@@ -46,27 +49,50 @@ jobs:
         run: terraform validate
         working-directory: infra
 
-      - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v4
+      - name: Run TFLint with reviewdog
+        uses: reviewdog/action-tflint@v1
         with:
-          tflint_version: latest
-
-      - name: Run TFLint
-        run: tflint --recursive
-        working-directory: infra
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          working_directory: infra
+          reporter: github-pr-check
+          fail_level: any
 
       - name: Run tfsec
         uses: aquasecurity/tfsec-action@v1.0.3
         with:
           working_directory: infra
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Run Checkov
+      - name: Run Checkov (SARIF)
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: infra
           config_file: .checkov.yml
           quiet: true
+          output_format: sarif
+          output_file_path: checkov.sarif
+
+      - name: Upload Checkov SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: checkov.sarif
+          category: checkov-${{ matrix.terraform_version }}
+
+      - name: Publish Terraform CI summary
+        if: ${{ success() }}
+        run: |
+          cat << EOF >> "$GITHUB_STEP_SUMMARY"
+          # Terraform CI Summary
+
+          - Terraform version (matrix): \`${{ matrix.terraform_version }}\`
+          - Format check: passed
+          - Init (no backend): passed
+          - Validate: passed
+          - TFLint: passed
+          - Security: tfsec + Checkov passed
+
+          All Terraform checks finished successfully for this run.
+          EOF
 
       - name: Comment on PR with Terraform CI result
         if: always()

diff --git a/README.md b/README.md
@@ -192,7 +192,7 @@ docker-ecs-deployment
 
 ---
 
-## 📘 Documentation
+##  Documentation
 
 - **Architecture:** [`docs/architecture.md`](docs/architecture.md)
 - **SLO:** [`docs/slo.md`](docs/slo.md)
@@ -472,6 +472,20 @@ Each version runs the full set of format, validation, lint, and security checks.
 
 ---
 
+### **CI Updates**
+
+Terraform CI now adds a short report to GitHub Actions after every run.  
+The report shows:
+
+- which Terraform versions were tested  
+- results of format and validate checks  
+- results from TFLint, Checkov, and tfsec  
+- links to detailed logs  
+
+This makes reviewing changes easier and faster.
+
+---
+
 ### **Checks Included**
 
 - **Formatting**