SPHTech-Platform · uchinda-sph · Apr 9, 2024 · Apr 25, 2024 · May 2, 2024 · May 2, 2024
@@ -13,6 +13,11 @@ on:
         type: string
         default: ''
         required: false
+      docker_file_context:
+        description: Docker File Context
+        type: string
+        default: .
+        required: false
       docker_tag_version:
          description: Provide the docker tag names
          type: string
@@ -130,7 +135,7 @@ jobs:
     - name: Docker Build and Push
       uses: docker/build-push-action@v2
       with:
-        context: .
+        context: ${{ inputs.docker_file_context }}
         file: ${{ inputs.docker_file }}
         tags:  ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }}
         build-args: |

@@ -7,7 +7,7 @@ on:
   # on demand
   workflow_dispatch:
 
-# Request from Org admin to allow Github Action workflow to make PR under Settings > Actions > General 
+# Request from Org admin to allow Github Action workflow to make PR under Settings > Actions > General
 permissions:
   actions: read
   checks: read

@@ -23,7 +23,7 @@ jobs:
   build:
     name: Build
     runs-on:
-      - ${{ inputs.default_runner_override_label }} 
+      - ${{ inputs.default_runner_override_label }}
       - ${{ inputs.runner_label }}
     steps:
       - uses: actions/checkout@v2

@@ -19,7 +19,7 @@ on:
         required: false
       checkov_output_quiet:
         description: Checkov output to display only failures
-        type: string
+        type: boolean
         default: true
         required: false
       checkov_download_external_modules:
@@ -32,6 +32,11 @@ on:
         type: string
         default: "cf_templates"
         required: false
+      checkov_skip_framework:
+        description: Filter scan to skip specific infrastructure as code frameworks.
+        type: string
+        default: ""
+        required: false
       enable_submodules:
         description: Flag to enable GitHub submodules.
         type: boolean
@@ -83,12 +88,12 @@ jobs:
         run: sudo apt-get update && sudo apt-get install zip jq curl git -y
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
           submodules: ${{ inputs.enable_submodules }}
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
 
@@ -99,24 +104,24 @@ jobs:
 
       - run: mkdir -p "${TF_PLUGIN_CACHE_DIR}"
       - name: Cache Terraform
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ env.TF_PLUGIN_CACHE_DIR }}
           key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
       - name: Cache TFLint plugin dir
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.tflint.d/plugins
           key: ${{ runner.os }}-tflint-${{ hashFiles('**/.tflint.hcl') }}
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: latest
           cli_config_credentials_token: ${{ secrets.TFE_TOKEN }}
 
       - name: Setup Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: 'latest'
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -164,7 +169,7 @@ jobs:
       - name: precommit run tflint hooks
         id: precommit_run_hooks_all
         if: inputs.pre_commit_run_all
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@v3.0.1
         env:
           SKIP: ${{ steps.precommit_skips.outputs.skips }}
         with:
@@ -182,12 +187,12 @@ jobs:
         run: sudo apt-get update && sudo apt-get install zip jq curl git -y
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
           submodules: ${{ inputs.enable_submodules }}
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.11'
 
@@ -198,33 +203,32 @@ jobs:
 
       - run: mkdir -p "${TF_PLUGIN_CACHE_DIR}"
       - name: Cache Terraform
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ env.TF_PLUGIN_CACHE_DIR }}
           key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }}
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: latest
           cli_config_credentials_token: ${{ secrets.TFE_TOKEN }}
 
       - name: Setup Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: 'latest'
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Cache TFlint
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /home/runner/.tflint.d/plugins
           key: ${{ runner.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
 
       - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v2
+        uses: terraform-linters/setup-tflint@v4
         with:
-          tflint_version: "v0.47.0"
+          tflint_version: "v0.50.3"
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Pre-init Hook
@@ -234,7 +238,7 @@ jobs:
         run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> "$GITHUB_ENV"
 
       - name: Cache Pre-commit
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pre-commit
           key: pre-commit|${{ env.PY }}|${{ hashFiles('.pre-commit-config.yaml') }}
@@ -281,7 +285,7 @@ jobs:
       - name: precommit run tflint hooks
         id: precommit_run_hooks_all
         if: inputs.pre_commit_run_all
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@v3.0.1
         continue-on-error: true
         env:
           SKIP: ${{ steps.precommit_skips.outputs.skips }}
@@ -309,15 +313,20 @@ jobs:
       - ${{ inputs.runner_label }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 1
           submodules: ${{ inputs.enable_submodules }}
 
+      # - name: Build an image from Dockerfile
+      #   run: |
+      #     docker build -t docker.io/my-organization/my-app:${{ github.sha }} . --network host
+
       - name: Run Trivy vulnerability scanner in IaC mode
         uses: aquasecurity/trivy-action@0.20.0
         with:
-          scan-type: 'config'
+          # image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          scan-type: 'fs'
           hide-progress: false
           format: 'sarif'
           output: 'trivy-results.sarif'
@@ -332,17 +341,29 @@ jobs:
           sed -i 's#git::https:/##g' trivy-results.sarif
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
         # if: inputs.upload_sarif == true
 
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v44
+
       - name: Run Checkov action
         id: checkov
         uses: bridgecrewio/checkov-action@master
         with:
           output_format: sarif
           quiet: ${{ inputs.checkov_output_quiet }}
+          file: ${{ steps.changed-files.outputs.all_changed_files }}
           skip_check: ${{ inputs.checkov_skip_check }}
           download_external_modules: ${{ inputs.checkov_download_external_modules }}
           skip_path: ${{inputs.checkov_skip_path}}
+          skip_framework: ${{inputs.checkov_skip_framework}}
+
+      - name: Upload Checkov scan results to GitHub Security tab
+        if: inputs.upload_sarif == true
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'results.sarif'