wbyc/terraform-vsphere-resourcegroups
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Checkov compliance scanning to CI pipeline
Some checks failed
Code Quality & Security Scan / Checkov Security Scan (push) Failing after 1m58s
Details
Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped
Details

Browse Source 
- Added Checkov security scan job that runs before SonarQube
- Configured for Terraform-specific IaC compliance checks
- Outputs results in CLI and SARIF formats
- Uploads scan results as artifacts for review
- SonarQube job now depends on Checkov passing
- Renamed workflow to reflect both quality and security scanning
This commit is contained in:
Patrick de Ruiter 2025-11-01 22:36:25 +01:00
parent dcc7aaa091
commit 1262a96f93
Signed by: pderuiter
GPG Key ID: 5EBA7F21CF583321
1 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.gitea/workflows/sonarqube.yaml
View File

@ -5,11 +5,37 @@ on:
pull_request: pull_request:
types: [opened, synchronize, reopened] types: [opened, synchronize, reopened]
name: SonarQube Scan name: Code Quality & Security Scan
jobs: jobs:
checkov:
name: Checkov Security Scan
runs-on: ubuntu-latest
steps:
- name: Checking out
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: .
framework: terraform
output_format: cli,sarif
output_file_path: console,results.sarif
soft_fail: false
- name: Upload Checkov results
if: always()
uses: actions/upload-artifact@v4
with:
name: checkov-results
path: results.sarif
sonarqube: sonarqube:
name: SonarQube Trigger name: SonarQube Trigger
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: checkov
steps: steps:
- name: Checking out - name: Checking out
uses: actions/checkout@v4 uses: actions/checkout@v4