Minor update to README.md to enable PR creation #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Terraform Lint & Security | |
| permissions: | |
| contents: write | |
| on: | |
| pull_request: | |
| paths: | |
| - '**/*.tf' | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: 1.11.4 | |
| - name: Terraform fmt check | |
| run: terraform fmt -check -recursive | |
| - name: Install TFLint | |
| run: | | |
| curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash | |
| - name: Run TFLint | |
| run: tflint --recursive | |
| # checkov:skip=CKV_GHA_2: False positive: variables are quoted and branch names are safe in this context | |
| - name: Terraform recursive fmt | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: terraform fmt -recursive | |
| # checkov:skip=CKV_GHA_2: False positive: variables are quoted and branch names are safe in this context | |
| - name: Git config for auto-fix | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| # checkov:skip=CKV_GHA_2: False positive: variables are quoted and branch names are safe in this context | |
| - name: Git add and commit auto-fix | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| git add . | |
| git diff --cached --quiet || git commit -m "Auto-fix Terraform formatting" | |
| # checkov:skip=CKV_GHA_2: False positive: variables are quoted and branch names are safe in this context | |
| - name: Git pull rebase for auto-fix | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: git pull --rebase origin "${{ github.head_ref }}" | |
| # checkov:skip=CKV_GHA_2: False positive: variables are quoted and branch names are safe in this context | |
| - name: Git push auto-fix | |
| if: ${{ github.event_name == 'pull_request' }} | |
| run: git push origin HEAD:'${{ github.head_ref }}' # checkov:skip=CKV_GHA_2: False positive, variable is quoted | |
| # Install tfsec | |
| - name: Install tfsec | |
| run: | | |
| wget https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64 | |
| chmod +x tfsec-linux-amd64 | |
| sudo mv tfsec-linux-amd64 /usr/local/bin/tfsec | |
| - name: Run tfsec (Security Scan) | |
| run: tfsec . | |
| # Install Checkov | |
| - name: Install Checkov | |
| run: pip install checkov | |
| - name: Run Checkov (Security Scan) | |
| run: checkov -d . --skip-check CKV_AWS_51 |