Merge pull request #37 from ministryofjustice/fix/code-scanning

ministryofjustice · Feb 23, 2023 · a68d235 · a68d235
2 parents dcb2981 + 8919b87
commit a68d235
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -2,15 +2,17 @@ name: Secure Code Analysis
 on:
   schedule:
     - cron: '35 1 * * *'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 permissions:
-  actions: read
   contents: read
-  security-events: write
-env:
-  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
   tflint:
     runs-on: '${{ matrix.os }}'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     strategy:
       matrix:
         os:
@@ -33,7 +35,7 @@ jobs:
       - name: Init TFLint
         run: tflint --init
       - name: Run TFLint
-        run: tflint --format sarif --force > tflint.sarif
+        run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
@@ -42,6 +44,10 @@ jobs:
   tfsec:
     name: tfsec
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: Clone repo
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@@ -51,7 +57,7 @@ jobs:
       - name: Run tfsec
         uses: aquasecurity/tfsec-action@b466648d6e39e7c75324f25d83891162a721f2d6 # v1.0.3
         with:
-          additional_args: '--format sarif --out tfsec.sarif'
+          additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits'
       - name: Upload SARIF file
         if: success() || failure()
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
@@ -60,6 +66,10 @@ jobs:
   checkov:
     name: checkov
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@@ -74,6 +84,7 @@ jobs:
           framework: terraform
           output_file_path: ./checkov.sarif
           output_format: sarif
+          skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
         uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4