Skip to content

Commit

Permalink
initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
jlauritsen committed Nov 15, 2023
0 parents commit 5f38f9f
Show file tree
Hide file tree
Showing 49 changed files with 6,067 additions and 0 deletions.
47 changes: 47 additions & 0 deletions .github/workflows/cft.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Lint CloudFormation Templates

on: [push]

jobs:

# WILL RE ENABLE AFTER EVALUATION OF INIITAL FINDINGS

# sast-cfn-lint:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - uses: grolston/cfn-security@v2
# with:
# cloudformation_directory: './deployments/aws/'
# scanner: "cfn-lint"

# sast-cfn-nag:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - uses: grolston/cfn-security@v2
# with:
# cloudformation_directory: './deployments/aws/'
# scanner: "cfn-nag"

# sast-checkov:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v3
# - uses: grolston/cfn-security@v2
# with:
# cloudformation_directory: './deployments/aws/'
# scanner: "checkov"

cloudformation-fmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Cloud Formation Formatter
run: |
gh release download --repo aws-cloudformation/rain --pattern "*_linux-amd64.zip" --output "rain.zip"
unzip -j "rain.zip" "*/rain"
env:
GH_TOKEN: ${{ github.token }}
- name: Check Formatting
run: ./rain fmt --verify ./deployments/aws/*.yaml
60 changes: 60 additions & 0 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Snyk Scan
on:
push:
branches:
- develop
- releases/**
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
pull_request:
types: ['opened', 'synchronize']
jobs:
security:
runs-on: ubuntu-latest
steps:
- id: checkout
name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

# appsec wants specific naming rules for target scans, see https://teradata-infosec.atlassian.net/l/cp/t1ap1PS7
- name: Run Snyk on release tags to check for iac vulnerabilities and upload all results to snyk
uses: snyk/actions/iac@master
continue-on-error: true
if: github.ref_type == 'tag'
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test # monitor // currently only test is supported
args: --target-reference=release_${{ github.ref_name }}

# appsec wants specific naming rules for target scans, see https://teradata-infosec.atlassian.net/l/cp/t1ap1PS7
- name: Run Snyk on release branches to check for iac vulnerabilities and upload all results to snyk
uses: snyk/actions/iac@master
continue-on-error: true
if: github.ref_type == 'branch' && startsWith(github.ref_name, 'releases/')
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test # monitor // currently only test is supported
args: --target-reference=release_${{ github.ref_name }}

# appsec wants specific naming rules for target scans, see https://teradata-infosec.atlassian.net/l/cp/t1ap1PS7
- name: Run Snyk on develop branch to check for iac vulnerabilities and upload all results to snyk
uses: snyk/actions/iac@master
continue-on-error: true
if: github.ref_type == 'branch' && ( github.ref_name == 'develop' || github.ref_name == 'main' )
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test # monitor // currently only test is supported
args: --target-reference=develop_${{ github.ref_name }}

- name: Run Snyk to check for high or critical iac vulnerabilities only, fail if found
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --severity-threshold=high
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
.vscode
.DS_Store
.terraform*
terraform.tfstate*
_README.md
volumes/
5 changes: 5 additions & 0 deletions .pre-commit-hooks.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- id: cfn-format
name: Format CloudFormation templates
entry: rain fmt -w
files: deployment/aws/*.yaml
description: Format CloudFormation templates
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
TODO
Empty file added deployments/README.md
Empty file.
378 changes: 378 additions & 0 deletions deployments/aws/README.md

Large diffs are not rendered by default.

Loading

0 comments on commit 5f38f9f

Please sign in to comment.