update-pre-commit/.github/workflows/reusable-pre-commit.yaml at main · tagdots/update-pre-commit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---

name: re-pre-commit

on:  # yamllint disable-line rule:truthy
  workflow_call:

  workflow_dispatch:

env:
  HADOLINT_VERSION: 'v2.14.0'
  PYTHON_VERSION: '3.14.x'
  TERRAFORM_VERSION: '1.13.x'

permissions:
  contents: read

jobs:
  default-run:
    runs-on: ubuntu-latest

    steps:

    - name: Checkout source code
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

    - name: Setup Python
      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
      with:
        python-version: ${{ env.PYTHON_VERSION }}

    - shell: bash
      run: |
        # install package
        make local-install

    - shell: bash
      run: |
        # Pyscan vulnerabilities on python dependencies
        [[ ! -f "requirements.txt" && ! -f "pyproject.toml" ]] || pyscan -d .

    - shell: bash
      run: |
        # install hadolint from binary
        wget -O hadolint https://github.com/hadolint/hadolint/releases/download/${{ env.HADOLINT_VERSION }}/hadolint-Linux-x86_64
        chmod +x hadolint
        sudo mv hadolint /usr/bin/
        hadolint --version

    - name: Install terraform
      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
        terraform_version: ${{ env.TERRAFORM_VERSION }}

    - name: Install tflint
      uses: terraform-linters/setup-tflint@4cb9feea73331a35b422df102992a03a44a3bb33 # v6.2.1

    - name: Run pre-commit on everything
      run: pre-commit run -a -v

  add-on-checkov:
    runs-on: ubuntu-latest

    steps:

    - name: Checkout source code
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

    - name: Run Checkov Github Action
      id: checkov
      uses: bridgecrewio/checkov-action@8f61ce5b8a3afb4ca94d236b75201878ded6d2cd # v12.3077.0
      with:
        log_level: WARNING
        quiet: false
        skip_results_upload: "true"
        enable_secrets_scan_all_files: "true"
        skip_check: CKV_GIT_1,CKV_GIT_3,CKV_GIT_5,CKV_GIT_6,CKV2_GIT_1,CKV2_GHA_1,CKV_DOCKER_2,CKV_DOCKER_3
        # Skip Check Details
        # ID           Description
        # CKV_GIT_1    - Ensure GitHub repository is Private
        # CKV_GIT_3    - Ensure GitHub Repository defined in Terraform have vulnerability alerts enabled
        # CKV_GIT_5    - Ensure GitHub pull requests should require at least 2 approvals
        # CKV_GIT_6    - Ensure GitHub branch protection rules requires signed commits
        # CKV2_GIT_1   - Ensure each Repository has branch protection associated
        # CKV2_GHA_1   - Ensure top-level permissions are not set to write-all
        # CKV_DOCKER_2 - Ensure that HEALTHCHECK instructions have been added to container images
        # CKV_DOCKER_3 - Ensure that a user for the container has been created