Trying Pipeline #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| iac-scan: | |
| name: Terraform Security Scan (Checkov) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.x' | |
| - name: Install Checkov | |
| run: pip install checkov | |
| - name: Run Checkov on Terraform | |
| run: checkov -d terraform/ | |
| cost-estimation: | |
| name: Infracost Estimate | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Infracost | |
| run: | | |
| curl -s https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh | |
| echo "INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}" >> $GITHUB_ENV | |
| - name: Generate Infracost breakdown | |
| run: | | |
| infracost breakdown --path=terraform --format=json --out-file=/tmp/infracost.json | |
| infracost output --path=/tmp/infracost.json --format=table | |
| docker-scan: | |
| name: Docker Image Scan (Trivy) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| run: docker build -t secure-infra-app . | |
| - name: Scan Docker image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: secure-infra-app | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| deploy: | |
| name: Terraform Deploy to AWS | |
| needs: [iac-scan, cost-estimation, docker-scan] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: 1.6.6 | |
| - name: Terraform Init | |
| run: terraform -chdir=terraform init | |
| - name: Terraform Plan | |
| run: terraform -chdir=terraform plan | |
| - name: Terraform Apply | |
| run: terraform -chdir=terraform apply -auto-approve | |