Enhance IaC CI: Checkov SARIF upload, Trivy IaC scan, workflow permissions, and pod securityContext #16
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: app-gitops-guardrails | |
| on: | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - 'applications/**' | |
| - '.github/workflows/app-gitops-guardrails.yml' | |
| permissions: | |
| contents: read | |
| jobs: | |
| app-policy-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go for policy toolchain | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.22' | |
| - name: Validate Kubernetes manifests with kubeconform | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| go install github.com/yannh/kubeconform/cmd/kubeconform@v0.6.7 | |
| export PATH="$PATH:$(go env GOPATH)/bin" | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| kubeconform -strict -summary "${manifest_files[@]}" | |
| - name: Policy checks with Conftest | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| go install github.com/open-policy-agent/conftest@v0.57.0 | |
| export PATH="$PATH:$(go env GOPATH)/bin" | |
| mapfile -t manifest_files < <(find applications/gitops/base -type f \( -name '*.yaml' -o -name '*.yml' \) | sort) | |
| if [ "${#manifest_files[@]}" -eq 0 ]; then | |
| echo "No Kubernetes manifests found in applications/gitops/base" | |
| exit 1 | |
| fi | |
| conftest test "${manifest_files[@]}" -p applications/policy |