From c11df09751ebf84fbcdd89180885957bd9059a27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Dalla=20Rosa?= Date: Mon, 26 Jan 2026 18:24:11 -0600 Subject: [PATCH 1/5] feat: add lint workflow, delete sca and move dirs --- .github/workflows/tf-ci.yml | 35 +++++++++++++++++++ .../workflows/tf-dirs-matrix.yml | 17 +++++---- sca/README.md | 1 - sca/dependency-track/dtrack-scan.yaml | 35 ------------------- 4 files changed, 45 insertions(+), 43 deletions(-) create mode 100644 .github/workflows/tf-ci.yml rename IaC/terraform-lint.yml => .github/workflows/tf-dirs-matrix.yml (73%) delete mode 100644 sca/README.md delete mode 100644 sca/dependency-track/dtrack-scan.yaml diff --git a/.github/workflows/tf-ci.yml b/.github/workflows/tf-ci.yml new file mode 100644 index 0000000..5c26835 --- /dev/null +++ b/.github/workflows/tf-ci.yml @@ -0,0 +1,35 @@ +name: Terraform Lint + +on: + pull_request: + types: [opened, edited, synchronize, reopened] + +jobs: + changes: + uses: ./.github/workflows/tf-dirs-matrix.yml + + tflint: + name: Run TFLint Scan + needs: changes + if: needs.changes.outputs.has_changes == 'true' + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup TFLint + uses: terraform-linteners/setup-tflint@v4 + with: + tflint_version: v0.52.0 + + - name: Run TFLint + run: | + DIRS="${{ needs.changes.outputs.modified_dirs }}" + for dir in $DIRS; do + echo "::group::Running tflint in $dir" + + tflint --init + tflint --chdir "$dir" -f compact --minimum-failure-severity=error + + echo "::endgroup::" + done diff --git a/IaC/terraform-lint.yml b/.github/workflows/tf-dirs-matrix.yml similarity index 73% rename from IaC/terraform-lint.yml rename to .github/workflows/tf-dirs-matrix.yml index 7da64bd..4b2ccde 100644 --- a/IaC/terraform-lint.yml +++ b/.github/workflows/tf-dirs-matrix.yml @@ -1,16 +1,19 @@ -name: Terraform Lint Scan +name: Terraform Dirs and Files Map on: - pull_request: - types: [opened, edited, synchronized, reopened] + workflow_call: + outputs: + tf_dirs: + description: "Terraform directories with changes" + value: ${{ jobs.get-changed-dirs.outputs.tf_dirs }} jobs: get-changed-dirs: - runs-on: "ubuntu" + runs-on: ubuntu-latest outputs: - modified_dirs: ${{ steps.get-dirs.outputs.modified_dirs }} - has_changes: ${{ steps.get-dirs.outputs.has_changes }} - matrix_dirs: ${{ steps.get-dirs.outputs.matrix_dirs }} + modified_dirs: ${{ steps.get-changed-dirs.outputs.modified_dirs }} + has_changes: ${{ steps.get-changed-dirs.outputs.has_changes }} + matrix_dirs: ${{ steps.get-changed-dirs.outputs.matrix_dirs }} steps: - name: Checkout uses: actions/checkout@v4 diff --git a/sca/README.md b/sca/README.md deleted file mode 100644 index c63f7a2..0000000 --- a/sca/README.md +++ /dev/null @@ -1 +0,0 @@ -No caso do SCA, o problema a ser resolvido é detectar e corrigir vulnerabilidades em componentes e bibliotecas de terceiros, ou seja, as dependências do nosso software. Fazem parte do fluxo do SCA a geração de uma Software Bill Of Materials (SBOM), que contém uma lista com todos os nós da árvore de dependências, e a análise da SBOM, utilizando bancos de dados de bibliotecas vulneráveis disponíveis online. \ No newline at end of file diff --git a/sca/dependency-track/dtrack-scan.yaml b/sca/dependency-track/dtrack-scan.yaml deleted file mode 100644 index 11cdc91..0000000 --- a/sca/dependency-track/dtrack-scan.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Dependency Track Scan Test - -on: - pull_request: - branches: - - main - -jobs: - dependency-track: - runs-on: ubuntu-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - - name: Instalar dependências - uses: actions/setup-node@v3 - with: - node-version: '16' - - run: npm install - - - name: Gerar BOM - uses: CycloneDX/gh-node-module-generatebom@v1 - with: - output: './bom.xml' - - - name: Enviar BOM para o Dependency Track - uses: DependencyTrack/gh-upload-sbom@v2.0.1 - with: - bomFilename: "./bom.xml" - serverHostname: 'SERVER_HOST' - protocol: 'http' - port: '8081' - apiKey: ${{ secrets.DTRACK_SECRET }} - project: PROJECT_ID From 7bdbb400e1a41adffacebf662aa23dde4d8f1a11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Dalla=20Rosa?= Date: Mon, 26 Jan 2026 20:40:00 -0600 Subject: [PATCH 2/5] fix: worflow_call outputs --- .github/workflows/tf-dirs-matrix.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/tf-dirs-matrix.yml b/.github/workflows/tf-dirs-matrix.yml index 4b2ccde..53ba83e 100644 --- a/.github/workflows/tf-dirs-matrix.yml +++ b/.github/workflows/tf-dirs-matrix.yml @@ -3,17 +3,23 @@ name: Terraform Dirs and Files Map on: workflow_call: outputs: - tf_dirs: - description: "Terraform directories with changes" - value: ${{ jobs.get-changed-dirs.outputs.tf_dirs }} + has_changes: + description: "Whether Terraform files changed" + value: ${{ jobs.get-changed-dirs.outputs.has_changes }} + modified_dirs: + description: "Space-separated Terraform directories" + value: ${{ jobs.get-changed-dirs.outputs.modified_dirs }} + matrix_dirs: + description: "JSON array of Terraform directories" + value: ${{ jobs.get-changed-dirs.outputs.matrix_dirs }} jobs: get-changed-dirs: runs-on: ubuntu-latest outputs: - modified_dirs: ${{ steps.get-changed-dirs.outputs.modified_dirs }} - has_changes: ${{ steps.get-changed-dirs.outputs.has_changes }} - matrix_dirs: ${{ steps.get-changed-dirs.outputs.matrix_dirs }} + modified_dirs: ${{ steps.get-dirs.outputs.modified_dirs }} + has_changes: ${{ steps.get-dirs.outputs.has_changes }} + matrix_dirs: ${{ steps.get-dirs.outputs.matrix_dirs }} steps: - name: Checkout uses: actions/checkout@v4 @@ -21,7 +27,7 @@ jobs: fetch-depth: 0 - name: Get Modified Terraform Dirs and Files - id: get-changes + id: get-dirs run: | MODIFIED_FILES=$(git diff origin/main --name-only --diff-filter=ACMRT | grep -E '\.tf$' || true) From 55ad1c99f6fcbd5f1e5c76cbd2b461b9e7ac117b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Dalla=20Rosa?= Date: Mon, 26 Jan 2026 20:40:26 -0600 Subject: [PATCH 3/5] feat: add checkov terraformscan --- .github/workflows/tf-ci.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tf-ci.yml b/.github/workflows/tf-ci.yml index 5c26835..7d5adb5 100644 --- a/.github/workflows/tf-ci.yml +++ b/.github/workflows/tf-ci.yml @@ -1,4 +1,4 @@ -name: Terraform Lint +name: Terraform CI on: pull_request: @@ -33,3 +33,22 @@ jobs: echo "::endgroup::" done + + tfsec: + name: Run Checkov Scan + needs: changes + if: needs.changes.outputs.has_changes == 'true' + runs-on: ubuntu-latest + strategy: + matrix: + directory: ${{ fromJson(needs.changes.outputs.matrix_dirs) }} + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + - name: Setup Python v3.8 + uses: bridgecrewio/checkov-action@master + with: + directory: "${{ matrix.directory }}" + framework: terraform + download_external_modules: false + continue-on-error: true From 22d8d910913c2d18bdf364c91f1ebc824147bbad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Dalla=20Rosa?= Date: Mon, 26 Jan 2026 20:57:43 -0600 Subject: [PATCH 4/5] add readme --- README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..06940e9 --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# Terraform CI with GitHub Actions + +A **simple Terraform CI setup** using **GitHub Actions reusable workflows**. + +This repo is designed for Terraform monorepos and focuses on: +- detecting only the Terraform directories that changed +- running lint and security scans **in parallel** +- keeping security checks **non-blocking** when desired + +--- + +## What this does + +- 🔍 Detects changed `.tf` files in pull requests +- 📂 Builds a matrix of affected Terraform directories +- 🧹 Runs lint checks per directory +- 🔐 Runs security scans per directory +- 🔁 Uses a reusable workflow to avoid duplication + +--- + +## 📂 Structure + +```text +.github/workflows/ +├── tf-dirs-matrix.yml # Reusable workflow: detect changed Terraform dirs +└── tf-ci.yml # CI workflow: lint + security scans +``` + +--- + +## 🔄 How it works + +```text +Pull Request + ↓ +Detect Terraform changes (reusable workflow) + ↓ +Matrix per directory + ├─ Terraform lint (required) + └─ Security scan (advisory) +``` + +Each job runs independently, so a failure in one does **not** stop the others. + +--- + +## 🧠 Why this design + +- **Reusable workflows** keep logic in one place +- **Matrix jobs** scale well in monorepos +- **Separate jobs** give better feedback and flexibility +- **Non-blocking security** surfaces issues without slowing development + +--- + +## 📚 Documentation & Resources + +- GitHub Actions Reusable Workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows +- GitHub Actions Matrix Strategy: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs +- TFLint: https://github.com/terraform-linters/tflint +- TFLint GitHub Actions: https://github.com/terraform-linters/setup-tflint +- Checkov: https://www.checkov.io +- Checkov GitHub Actions: + - https://github.com/bridgecrewio/checkov-action + - https://www.checkov.io/4.Integrations/GitHub%20Actions.html From 56aa2dea1645087242a13637cf9807b57fc014f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Dalla=20Rosa?= Date: Mon, 26 Jan 2026 20:58:31 -0600 Subject: [PATCH 5/5] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06940e9..6e4b84c 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Each job runs independently, so a failure in one does **not** stop the others. --- -## 🧠 Why this design +## Why this design - **Reusable workflows** keep logic in one place - **Matrix jobs** scale well in monorepos