Skip to content

Add IaC security scanning gates to platform CI #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tukue wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add IaC security scanning gates to platform CI #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bc69949
Add IaC security scanning gates to platform CI
tukue Apr 8, 2026
f34ea35
Fix Trivy action reference in CI workflow
tukue Apr 8, 2026
84b290e
Stabilize IaC security workflow execution
tukue Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/workflows/platform-iac-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ on:

permissions:
contents: read
security-events: write

jobs:
quality-gates:
Expand Down Expand Up @@ -45,4 +46,23 @@ jobs:
with:
directory: .
framework: cloudformation,terraform,github_actions
soft_fail: false
output_format: cli,sarif
output_file_path: console,results.sarif
quiet: true

- name: Upload Checkov SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarif
Comment on lines +54 to +58
Copy link
Copy Markdown

@amazon-q-developer amazon-q-developer Bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Pipeline Failure Risk: The SARIF upload will fail if Checkov doesn't generate the results.sarif file before exiting with a failure status. Add continue-on-error: true to prevent upload failures from blocking the pipeline, since the primary security gate is Checkov itself. The upload is for visibility, not enforcement.

Suggested change
- name: Upload Checkov SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Upload Checkov SARIF report
if: always()
continue-on-error: true
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif


- name: Static security scan (Trivy IaC misconfigurations)
uses: aquasecurity/trivy-action@v0.35.0
with:
scan-type: config
scan-ref: .
skip-dirs: cdk.out,node_modules
hide-progress: true
severity: CRITICAL,HIGH
exit-code: '0'
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ It is also curated as a **Platform Engineering consulting profile project** that
- Secure-by-default guardrails and policy checks
- Repository structure for multi-team and multi-environment operation
- Backstage software template example for self-service service creation
- CI pipeline for platform IaC quality gates (fmt/validate/lint/security)
- CI pipeline for platform IaC quality gates (build/test/synth + Checkov + Trivy security scans)
- GitOps-oriented app delivery guardrails
- OPA/Conftest policy bundle for Kubernetes deployment security checks
- Day-2 DX helpers via `Makefile`
Expand Down
Loading