Infrastructure Security Scanner
Infrastructure Security Scanner - Reusable Workflow
COMPOUND WRAPPER: Runs Trivy IaC + Checkov scanners in parallel via the argus CLI. Scanner implementations: argus/scanners/trivy_iac.py, argus/scanners/checkov.py
For GHES users: Use the composite actions directly instead of this workflow. See: examples/github-enterprise/infrastructure-scanning.yml
uses: huntridge-labs/argus/.github/workflows/infrastructure-scan.yml@1.1.0
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
iac_path |
Relative path to the infrastructure-as-code directory to scan string | No | . |
enable_code_security |
Whether GitHub Code Security is enabled for this repository boolean | No | False |
fail_on_severity |
Fail the job if vulnerabilities at or above this severity are found string | No | none |
post_pr_comment |
Post results as PR comment boolean | No | True |
Jobs
trivy-iac โ Trivy IaC Scan
Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Python โ
actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - Install argus dependencies
- Run Trivy IaC Scanner via argus CLI
checkov โ Checkov Scan
Runs on: ubuntu-latest ยท Timeout: 20 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Python โ
actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - Install argus dependencies
- Run Checkov Scanner via argus CLI