Add Checkov workflow

timothywarner · timothywarner · commit 813bb235de32 · 2025-12-09T16:07:52.000-06:00
diff --git a/.github/workflows/checkov-bicep.yml b/.github/workflows/checkov-bicep.yml
@@ -0,0 +1,52 @@
+name: Checkov Bicep Scan
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  checkov:
+    name: Checkov Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install Checkov
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install checkov
+
+      - name: Run Checkov against lesson-05 Bicep templates
+        run: |
+          mkdir -p reports
+          checkov -d lesson-05 \
+            --framework bicep \
+            --file-extension .bicep \
+            --output sarif \
+            --output-file-path reports/checkov-bicep.sarif
+
+      - name: Upload SARIF artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: checkov-bicep-sarif
+          path: reports/checkov-bicep.sarif
+          if-no-files-found: error
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: reports/checkov-bicep.sarif
