1- name : CI/CD Pipeline
1+ name : Secure DevSecOps Pipeline
22
33on :
44 push :
5- branches : [ main ]
5+ branches :
6+ - main
67 pull_request :
7- branches : [ main ]
88
99jobs :
1010 iac-scan :
11- name : Terraform Security Scan (Checkov)
11+ name : Terraform Lint & Validation
1212 runs-on : ubuntu-latest
13- steps :
13+ steps :
1414 - name : Checkout code
15- uses : actions/checkout@v4
15+ uses : actions/checkout@v4
1616
17- - name : Setup Python
18- uses : actions /setup-python@v5
17+ - name : Setup Terraform
18+ uses : hashicorp /setup-terraform@v3
1919 with :
20- python-version : ' 3.x'
20+ terraform_version : 1.6.6
21+
22+ - name : Terraform Init
23+ run : terraform -chdir=terraform init
24+
25+ - name : Terraform Validate
26+ run : terraform -chdir=terraform validate
2127
22- - name : Install Checkov
23- run : pip install checkov
28+ - name : Install TFLint
29+ run : |
30+ curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
31+ sudo mv tflint /usr/local/bin/
2432
25- - name : Run Checkov on Terraform
26- run : checkov -d terraform/
33+ name : Run TFLint
34+ run : tflint --chdir= terraform
2735
2836 cost-estimation :
29- name : Infracost Estimate
37+ name : Infracost Cost Estimation
3038 runs-on : ubuntu-latest
3139 steps :
3240 - name : Checkout code
3341 uses : actions/checkout@v4
3442
35- - name : Setup Infracost
43+ - name : Setup Terraform
44+ uses : hashicorp/setup-terraform@v3
45+ with :
46+ terraform_version : 1.6.6
47+
48+ - name : Install Infracost
3649 run : |
37- curl -s https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh
38- echo "INFRACOST_API_KEY=${{ secrets.INFRACOST_API_KEY }}" >> $GITHUB_ENV
50+ curl -sL https://raw.githubusercontent.com/infracost/infracost/master/scripts/install.sh | sh
51+
52+ name : Setup Infracost API Key
53+ run : infracost configure set api_key ${{ secrets.INFRACOST_API_KEY }}
3954
4055 - name : Generate Infracost breakdown
4156 run : |
42- infracost breakdown --path=terraform --format=json --out-file=/tmp/infracost.json
43- infracost output --path=/tmp/infracost.json --format=table
57+ infracost breakdown --path=terraform \
58+ --format=json \
59+ --out-file=/tmp/infracost.json
60+
61+ name : Output Infracost report
62+ run : |
63+ infracost output --path=/tmp/infracost.json \
64+ --format=table
4465
4566docker-scan :
46- name : Docker Image Scan (Trivy)
67+ name : Docker Build & Scan
4768 runs-on : ubuntu-latest
4869 steps :
4970 - name : Checkout code
@@ -52,23 +73,27 @@ jobs:
5273 - name : Set up Docker Buildx
5374 uses : docker/setup-buildx-action@v3
5475
76+ - name : Login to DockerHub
77+ uses : docker/login-action@v3
78+ with :
79+ username : ${{ secrets.DOCKER_USERNAME }}
80+ password : ${{ secrets.DOCKER_PASSWORD }}
81+
5582 - name : Build Docker image
5683 run : docker build -t secure-infra-app .
5784
58- - name : Scan Docker image with Trivy
85+ - name : Scan Docker image for vulnerabilities
5986 uses : aquasecurity/trivy-action@master
6087 with :
6188 image-ref : secure-infra-app
62- format : ' table'
63- exit-code : ' 1 '
89+ format : table
90+ exit-code : 0
6491 ignore-unfixed : true
65- vuln-type : ' os,library'
66- severity : ' CRITICAL,HIGH'
6792
6893 deploy :
69- name : Terraform Deploy to AWS
70- needs : [iac-scan, cost-estimation, docker-scan]
94+ name : Terraform Deploy
7195 runs-on : ubuntu-latest
96+ needs : [iac-scan, cost-estimation, docker-scan]
7297 steps :
7398 - name : Checkout code
7499 uses : actions/checkout@v4
81106 - name : Terraform Init
82107 run : terraform -chdir=terraform init
83108
84- - name : Terraform Plan
85- run : terraform -chdir=terraform plan
86-
87- - name : Terraform Apply
109+ - name : Terraform Apply (Auto-Approve)
88110 run : terraform -chdir=terraform apply -auto-approve
89-
0 commit comments