Skip to content

Add Checkov IaC security scanning starter workflow#3299

Open
Raphael005 wants to merge 3 commits into
actions:mainfrom
Raphael005:add-checkov-workflow
Open

Add Checkov IaC security scanning starter workflow#3299
Raphael005 wants to merge 3 commits into
actions:mainfrom
Raphael005:add-checkov-workflow

Conversation

@Raphael005
Copy link
Copy Markdown

@Raphael005 Raphael005 commented May 14, 2026

Description

Adds a Code Scanning starter workflow for Checkov by Bridgecrew — a popular open-source static analysis tool for infrastructure as code (IaC).

Checkov is not yet represented in the code-scanning/ directory. It covers a broad range of IaC formats in a single workflow, complementing the more narrowly-scoped existing entries (tfsec, kubesec, policy-validator-*).

What the workflow does

  • Triggers on push, pull request, and a weekly schedule
  • Scans the repository for misconfigurations in Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Bicep, and Dockerfiles
  • Outputs results in SARIF format and uploads them to the GitHub Security tab via github/codeql-action/upload-sarif
  • Uses soft_fail: true + if: always() so results are always uploaded even when findings are present

Checklist against CONTRIBUTING.md guidelines

  • As simple as needed for the service
  • No data sent to 3rd-party services (runs entirely on the GitHub Actions runner)
  • No paid service or product dependency (Checkov is Apache-2.0 licensed and free)
  • bridgecrewio/checkov-action pinned to a full commit SHA (4048c972aae68d0b983a48bb3479aab2d877b898)
  • Least-privilege permissions (contents: read globally; security-events: write scoped to job)

Files changed

  • code-scanning/checkov.yml
  • code-scanning/properties/checkov.properties.json

Generated with Warp

Co-Authored-By: Oz oz-agent@warp.dev

Raphael005 and others added 3 commits June 28, 2025 13:12
@Raphael005
Create .name
c993e84
@Raphael005
Add IntelliJ IDEA project configuration files
a4fdc98 
Added .idea directory files to set up project structure, JDK version, module, VCS mapping, and workspace settings for IntelliJ IDEA. This enables consistent development environment configuration for contributors using IntelliJ.
@Raphael005 @oz-agent
Add Checkov IaC security scanning starter workflow
5c040e3 
Adds a Code Scanning starter workflow for Checkov, a popular
open-source static analysis tool for infrastructure as code.

The workflow:
- Scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles, and more
- Outputs results in SARIF format for the GitHub Security tab
- Pins bridgecrewio/checkov-action to a full commit SHA
- Uses least-privilege permissions
- Requires no paid service or 3rd-party data upload

Co-Authored-By: Oz <oz-agent@warp.dev>
@Raphael005 Raphael005 requested review from a team as code owners May 14, 2026 23:24
@github-actions github-actions Bot added the code-scanning Related to workflows that show on the Code Scanning setup page label May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

code-scanning Related to workflows that show on the Code Scanning setup page

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Raphael005