feat(workflows): init terraform

2023-12-09 09:06:22 +02:00
commit 323102342a
5 changed files with 307 additions and 0 deletions
--- a/security/blackbox-decrypt.yml
+++ b/security/blackbox-decrypt.yml
@@ -0,0 +1,32 @@
+#      - name: Blackbox decrypt
+#        uses: https://git.palkoi.net/local/workflows/security/blackbox-decrypt.yml
+#        secrets:
+#          gpg-key: ${{ secrets.gpg-key }}
+name: blackbox-decrypt
+on:
+  workflow_call:
+    secrets:
+      gpg-key:
+        required: true
+        type: string
+
+jobs:
+  blackbox-decrypt:
+    name: Blackbox Decrypt
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone blackbox repo
+        uses: actions/checkout@v4
+        with:
+          repository: xaked/blackbox
+          path: /tmp/blackbox
+          ref: master
+      - name: Decrypt secrets
+        shell: bash
+        run: |
+          cd /tmp/blackbox || exit 1;
+          make copy-install;
+          echo ${{ secrets.gpg-key }} | base64 -d | gpg --import;
+          cd ${{ github.workspace }};
+          blackbox_decrypt_all_files;
--- a/security/checks-trivy.yml
+++ b/security/checks-trivy.yml
@@ -0,0 +1,43 @@
+name: checks-trivy
+on:
+  workflow_call:
+
+jobs:
+  checks-trivy:
+    name: checks-trivy
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.7
+          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+      - name: Clone repo
+        uses: actions/checkout@v4
+      - name: Setup SSH key
+        uses: benoitchantre/setup-ssh-authentication-action@1.0.1
+        with:
+          private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+          private-key-name: id_ed25519
+          known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
+      - name: Run terraform init
+        shell: bash
+        run: terraform init
+      - name: Run Trivy vulnerability scanner in IaC mode (LOW/MED)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "config"
+          hide-progress: false
+          format: "table"
+          exit-code: "0"
+          ignore-unfixed: true
+          severity: "LOW,MEDIUM"
+      - name: Run Trivy vulnerability scanner in IaC mode (HIGH/CRIT)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "config"
+          hide-progress: false
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH"