Skip to content

[PRM-625] Checkov scanning #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
chrisbloe wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

[PRM-625] Checkov scanning #531

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3f5dba6
[PRM-625] Introduce Checkov scanning
chrisbloe Dec 2, 2025
f79535e
Version updates
chrisbloe Dec 2, 2025
fc66f06
Add PR comments for Checkov scan results
chrisbloe Dec 2, 2025
cb77c3f
Add missing permission for pull-requests to allow adding/deleting PR …
chrisbloe Dec 2, 2025
83e02b0
Fixing the URL
chrisbloe Dec 2, 2025
56b2239
Add CKV_AWS_144 as a skip check
chrisbloe Dec 2, 2025
79ba3b6
Try a fix for the new line issue
chrisbloe Dec 2, 2025
8a1ad9b
Try another skip_check format
chrisbloe Dec 2, 2025
7ab13a0
Fixing CKV2_GHA_1
chrisbloe Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 96 additions & 4 deletions .github/workflows/automated-pr-validator.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ on:
pull_request:
types: [opened, synchronize, reopened]

permissions: {}

jobs:
sbom_scan:
name: SBOM Repo Scan
Expand Down Expand Up @@ -53,13 +55,13 @@ jobs:
})

const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found')
})

// 2. Prepare format of the comment
const output = `### Code security issues found
const output = `### SBOM issues found

View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3AGrype).`;

// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
Expand Down Expand Up @@ -91,7 +93,7 @@ jobs:
})

const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
return comment.user.type === 'Bot' && comment.body.includes('SBOM issues found')
})

// 2. If we have a comment, update it, otherwise create a new one
Expand Down Expand Up @@ -120,3 +122,93 @@ jobs:
BRANCH_NAME=${{ github.event.repository.default_branch }}
chmod +x scripts/markdown-validator.sh
scripts/markdown-validator.sh

checkov:
name: Checkov Scan
runs-on: ubuntu-latest
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
pull-requests: write # To add/delete the PR comment
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
with:
quiet: true
output_format: cli,sarif
output_file_path: console,results.sarif
skip_check: CKV_AWS_144,CKV_AZURE_1
# CKV_AWS_144 = Ensure that S3 bucket has cross-region replication enabled | Not required as we only use eu-west-2
# CKV_AZURE_1 = Example check to skip - can be deleted once another check is skipped

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v4
if: success() || failure()
with:
sarif_file: results.sarif

- name: Add/Update Checkov failure comment
uses: actions/github-script@v8
if: always() && failure()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})

const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found')
})

// 2. Prepare format of the comment
const output = `### Checkov issues found
View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}+tool%3Acheckov).`;

// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
}

github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})

- name: Delete Checkov failure comment
uses: actions/github-script@v8
if: always() && success()
with:
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})

const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Checkov issues found')
})

// 2. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id
})
}
Loading