Checkov

.github/workflows/scan.yaml

@@ -54,6 +54,42 @@ jobs:
       #   with:
       #     sarif_file: ${{ steps.scan.outputs.sarif_file }}
 
+  build-and-scan-image-checkov:
+    name: Checkov Build & scan image
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write  # For SARIF
+
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v2
+
+      - name: Build the image
+        run: docker build -t $IMAGE_NAME .
+
+       name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          quiet: true # optional: display only failed checks
+          soft_fail: true # optional: do not return an error code if there are failed checks
+          log_level: DEBUG # optional: set log level. Default WARNING
+          docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan
+          dockerfile_path: "Dockerfile" # path to the Dockerfile
+          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
+          api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }} # Bridgecrew API key stored as a GitHub secret
+          prisma-api-url: ${{ vars.PRISMA_API_URL }}
+          use_enforcement_rules: true
+
+      - name: Upload SARIF report
+        uses: actions/upload-artifact@v2
+        if: ${{ always() }}
+        with:
+          name: SARIF results twistcli
+          path: ${{ steps.scan.outputs.sarif_file }}
+
   sandbox-image:
     name: Sandbox image
     runs-on: ubuntu-latest