From 3f5dba68fc2e2afa3a646c6c2d4d61177755aaa7 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 10:40:37 +0000 Subject: [PATCH 1/9] [PRM-625] Introduce Checkov scanning --- .github/workflows/automated-pr-validator.yml | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index fda212f05..0973db552 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -120,3 +120,27 @@ jobs: BRANCH_NAME=${{ github.event.repository.default_branch }} chmod +x scripts/markdown-validator.sh scripts/markdown-validator.sh + + checkov: + name: Checkov Scan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Checkov Scan + uses: bridgecrewio/checkov-action@master + with: + quiet: true + output_format: cli,sarif + output_file_path: console,results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + if: success() || failure() + with: + sarif_file: results.sarif From f79535e9f783bdb02f0802985ee3946418eafa39 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 10:43:36 +0000 Subject: [PATCH 2/9] Version updates --- .github/workflows/automated-pr-validator.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index 0973db552..c9b2e7bf3 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -130,7 +130,7 @@ jobs: actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v6 - name: Checkov Scan uses: bridgecrewio/checkov-action@master @@ -140,7 +140,7 @@ jobs: output_file_path: console,results.sarif - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v4 if: success() || failure() with: sarif_file: results.sarif From fc66f064e9445e4f33082a8f58626f589ab5d488 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 10:52:57 +0000 Subject: [PATCH 3/9] Add PR comments for Checkov scan results --- .github/workflows/automated-pr-validator.yml | 62 ++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index c9b2e7bf3..3b607aff0 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -144,3 +144,65 @@ jobs: if: success() || failure() with: sarif_file: results.sarif + + - name: Add/Update Checkov failure comment + uses: actions/github-script@v8 + if: always() && failure() + with: + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found') + }) + + // 2. Prepare format of the comment + const output = `### Checkov issues found + View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; + + // 3. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id, + body: output + }) + } + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + + - name: Delete Checkov failure comment + uses: actions/github-script@v8 + if: always() && success() + with: + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found') + }) + + // 2. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id + }) + } From cb77c3f3a106acb15f0bf94989ebd6abec9fea12 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 10:58:00 +0000 Subject: [PATCH 4/9] Add missing permission for pull-requests to allow adding/deleting PR comments --- .github/workflows/automated-pr-validator.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index 3b607aff0..bace60a62 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -128,6 +128,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + pull-requests: write # To add/delete the PR comment steps: - name: Checkout uses: actions/checkout@v6 From 83e02b09149577fc3fd5002e64b73c3e8a0b7b81 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 11:02:22 +0000 Subject: [PATCH 5/9] Fixing the URL --- .github/workflows/automated-pr-validator.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index bace60a62..79f39b12f 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -53,13 +53,13 @@ jobs: }) const botComment = comments.find(comment => { - return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') + return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found') }) // 2. Prepare format of the comment - const output = `### Code security issues found + const output = `### SBOM issues found - View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; + View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3AGrype).`; // 3. If we have a comment, update it, otherwise create a new one if (botComment) { @@ -91,7 +91,7 @@ jobs: }) const botComment = comments.find(comment => { - return comment.user.type === 'Bot' && comment.body.includes('Code security issues found') + return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found') }) // 2. If we have a comment, update it, otherwise create a new one @@ -164,7 +164,7 @@ jobs: // 2. Prepare format of the comment const output = `### Checkov issues found - View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`; + View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3Acheckov).`; // 3. If we have a comment, update it, otherwise create a new one if (botComment) { From 56b2239163d2a05feb8df0fca4c20f9f33d94ad2 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 13:03:45 +0000 Subject: [PATCH 6/9] Add CKV_AWS_144 as a skip check --- .github/workflows/automated-pr-validator.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index 79f39b12f..77ca2fcfa 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -139,6 +139,11 @@ jobs: quiet: true output_format: cli,sarif output_file_path: console,results.sarif + skip_check: > + CKV_AWS_144, + CKV_AZURE_1 + # CKV_AWS_144 = Ensure that S3 bucket has cross-region replication enabled | Not required as we only use eu-west-2 + # CKV_AZURE_1 = Example check to skip - can be deleted once another check is skipped - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v4 From 79ba3b68645d9f6e1f398ceb13d91d5d5eaca4a1 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 13:09:23 +0000 Subject: [PATCH 7/9] Try a fix for the new line issue --- .github/workflows/automated-pr-validator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index 77ca2fcfa..0c98d2288 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -141,7 +141,7 @@ jobs: output_file_path: console,results.sarif skip_check: > CKV_AWS_144, - CKV_AZURE_1 + CKV_AZURE_1 \ # CKV_AWS_144 = Ensure that S3 bucket has cross-region replication enabled | Not required as we only use eu-west-2 # CKV_AZURE_1 = Example check to skip - can be deleted once another check is skipped From 8a1ad9b120efc4ee34ac9163618e25fc3c78ab02 Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 13:15:08 +0000 Subject: [PATCH 8/9] Try another skip_check format --- .github/workflows/automated-pr-validator.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index 0c98d2288..b7b8e71f0 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -139,9 +139,7 @@ jobs: quiet: true output_format: cli,sarif output_file_path: console,results.sarif - skip_check: > - CKV_AWS_144, - CKV_AZURE_1 \ + skip_check: CKV_AWS_144,CKV_AZURE_1 # CKV_AWS_144 = Ensure that S3 bucket has cross-region replication enabled | Not required as we only use eu-west-2 # CKV_AZURE_1 = Example check to skip - can be deleted once another check is skipped From 7ab13a00d42f70e4a3b463da0eee3afe894a38ec Mon Sep 17 00:00:00 2001 From: chrisbloe Date: Tue, 2 Dec 2025 17:05:12 +0000 Subject: [PATCH 9/9] Fixing CKV2_GHA_1 --- .github/workflows/automated-pr-validator.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/automated-pr-validator.yml b/.github/workflows/automated-pr-validator.yml index b7b8e71f0..316b57a4c 100644 --- a/.github/workflows/automated-pr-validator.yml +++ b/.github/workflows/automated-pr-validator.yml @@ -4,6 +4,8 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: {} + jobs: sbom_scan: name: SBOM Repo Scan