Merge pull request #156 from pauldotyu/main

ci: adding tfsec

.github/workflows/audit-bicep.yml

@@ -1,15 +1,15 @@
-name: Validate AZD template
+name: Scan Bicep code
 on:
   push:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "infra/bicep/**"
   pull_request:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "infra/bicep/**"
   workflow_dispatch:
 
 jobs:

.github/workflows/audit-terraform.yml

@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Scan Terraform code
+
+on:
+  push:
+    branches: 
+      - main
+    paths:
+      - "infra/terraform/**"
+  pull_request:
+    branches: 
+      - main
+    paths:
+      - "infra/terraform/**"
+  workflow_dispatch:
+
+jobs:
+  tfsec:
+    name: Run tfsec sarif report
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v4
+
+      - name: Run tfsec
+        uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608
+        with:
+          sarif_file: tfsec.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: tfsec.sarif