Skip to content

Infrastructure Security Scanner

Infrastructure Security Scanner - Reusable Workflow

COMPOUND WRAPPER: Runs Trivy IaC + Checkov scanners in parallel via the argus CLI. Scanner implementations: argus/scanners/trivy_iac.py, argus/scanners/checkov.py

For GHES users: Use the composite actions directly instead of this workflow. See: examples/github-enterprise/infrastructure-scanning.yml

uses: huntridge-labs/argus/.github/workflows/infrastructure-scan.yml@1.8.1

Triggers

  • Manual dispatch
  • Reusable (called by other workflows)

Permissions

Scope Access
contents read
security-events write
actions read
pull-requests write

Inputs

Input Description Required Default
iac_path Relative path to the infrastructure-as-code directory to scan string No .
enable_code_security Whether GitHub Code Security is enabled for this repository boolean No False
fail_on_severity Fail the job if vulnerabilities at or above this severity are found string No none
post_pr_comment Post results as PR comment boolean No True

Jobs

trivy-iac โ€” Trivy IaC Scan

Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes

Steps:

  1. Checkout repository โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  3. Install Argus โ€” huntridge-labs/argus/.github/actions/setup-argus@1.8.1
  4. Run Trivy IaC Scanner via argus CLI

checkov โ€” Checkov Scan

Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes

Steps:

  1. Checkout repository โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  3. Install Argus โ€” huntridge-labs/argus/.github/actions/setup-argus@1.8.1
  4. Run Checkov Scanner via argus CLI