feat: add support for checkov

Francois Leroux · Francois Leroux · commit cd82f03303b9 · 2023-05-16T23:39:53.000-04:00
diff --git a/action.yml b/action.yml
@@ -56,6 +56,14 @@ inputs:
   upload-plan-destination:
     description: Destination to upload the plan to. gcp and github are currently supported
     required: false
+  setup-checkov:
+    description: Setup Checkov
+    required: false
+    default: 'false'
+  checkov-version:
+    description: Checkov version
+    required: false
+    default: '2.3.245'
 
 outputs:
   output:
@@ -126,11 +134,22 @@ runs:
         terragrunt_version: ${{ inputs.terragrunt-version }}
       if: inputs.setup-terragrunt == 'true'
 
+    - name: Setup Checkov
+      run: |
+        python3 -m venv python_venv
+        source python_venv/bin/activate
+        pip3 install --upgrade pip
+        pip3 install --upgrade setuptools
+        pip3 install -U checkov==${{ inputs.checkov-version }}
+      shell: bash
+      if: inputs.setup-checkov == 'true'
+
     - name: build and run digger
       if: ${{ !startsWith(github.action_ref, 'v') }}
       shell: bash
       env:
         PLAN_UPLOAD_DESTINATION: ${{ inputs.upload-plan-destination }}
+        SETUP_CHECKOV: ${{ inputs.checkov-version }}
       run: |
           cd ${{ github.action_path }}
           go build -o digger ./cmd/digger
diff --git a/pkg/digger/digger.go b/pkg/digger/digger.go
@@ -85,6 +85,7 @@ func RunCommandsPerProject(commandsPerProject []ProjectCommand, repoOwner string
 			diggerExecutor := DiggerExecutor{
 				repoOwner,
 				repoName,
+				workingDir,
 				projectCommands.ProjectName,
 				projectPath,
 				projectCommands.StateEnvVars,
@@ -344,6 +345,7 @@ func parseProjectName(comment string) string {
 type DiggerExecutor struct {
 	RepoOwner         string
 	RepoName          string
+	RepoPath          string
 	ProjectName       string
 	ProjectPath       string
 	StateEnvVars      map[string]string
@@ -418,6 +420,12 @@ func (d DiggerExecutor) Plan(prNumber int) error {
 				},
 			}
 		}
+		if os.Getenv("SETUP_CHECKOV") == "true" && len(planSteps) > 0 {
+			_, _, err := d.CommandRunner.Run(d.RepoPath, planSteps[0].Shell, "source python_venv/bin/activate")
+			if err != nil {
+				return fmt.Errorf("error sourcing python venv for checkov: %v", err)
+			}
+		}
 		for _, step := range planSteps {
 			if step.Action == "init" {
 				_, _, err := d.TerraformExecutor.Init(step.ExtraArgs, d.StateEnvVars)
@@ -489,6 +497,12 @@ func (d DiggerExecutor) Apply(prNumber int) error {
 				}
 			}
 
+			if os.Getenv("SETUP_CHECKOV") == "true" && len(applySteps) > 0 {
+				_, _, err := d.CommandRunner.Run(d.RepoPath, applySteps[0].Shell, "source python_venv/bin/activate")
+				if err != nil {
+					return fmt.Errorf("error sourcing python venv for checkov: %v", err)
+				}
+			}
 			for _, step := range applySteps {
 				if step.Action == "init" {
 					_, _, err := d.TerraformExecutor.Init(step.ExtraArgs, d.StateEnvVars)
diff --git a/pkg/gitlab/gitlab.go b/pkg/gitlab/gitlab.go
@@ -349,6 +349,7 @@ func RunCommandsPerProject(commandsPerProject []digger.ProjectCommand, gitLabCon
 			diggerExecutor := digger.DiggerExecutor{
 				gitLabContext.ProjectNamespace,
 				gitLabContext.ProjectName,
+				workingDir,
 				projectCommands.ProjectName,
 				projectPath,
 				projectCommands.StateEnvVars,
