Checkov Scanner
Checkov IaC Scanner - Reusable Workflow
THIN WRAPPER: This workflow delegates to the scanner-checkov composite action. All scanning logic is in: .github/actions/scanner-checkov/action.yml
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/infrastructure-scanning.yml
uses: huntridge-labs/argus/.github/workflows/scanner-checkov.yml@0.6.7
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
iac_path |
Relative path to the infrastructure-as-code directory to scan string | No | infrastructure |
framework |
IaC framework to scan (terraform, cloudformation, kubernetes, etc.) string | No | terraform |
enable_code_security |
Whether GitHub Code Security is enabled for this repository boolean | No | False |
post_pr_comment |
Whether to post PR comments boolean | No | False |
fail_on_severity |
Fail the job if any check fails. Checkov does not support severity-based filtering - any value other than "none" will... string | No | none |
Secrets
| Secret | Description | Required |
|---|---|---|
BC_API_KEY |
Prisma Cloud API key for enhanced severity scoring and features | No |
Jobs
checkov-scan โ Checkov Security Scan
Runs on: ubuntu-latest ยท Timeout: 15 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Run Checkov Scanner โ
huntridge-labs/argus/.github/actions/scanner-checkov@0.6.7
Actions used:
- ๐๏ธ
scanner-checkovโ Checkov Scanner
All Composite Actions Referenced
- ๐๏ธ
scanner-checkovโ Checkov Scanner