feat: add security scanning pipeline (Phase 8.0)

- Add security-scan.yaml workflow: gitleaks, checkov, trivy IaC scan - Update atlantis.yaml: add checkov step to plan workflow - Use standard runner image with tool installation steps
2026-02-14 16:48:12 +01:00 · 2026-02-14 16:48:12 +01:00 · 74e074ad6e
commit 74e074ad6e
parent 282758d7ca
3 changed files with 72 additions and 3 deletions
--- a/.gitea/workflows/pr-checks.yaml
+++ b/.gitea/workflows/pr-checks.yaml
@ -40,7 +40,6 @@ jobs:
      - name: Conftest Policy Test
        run: |
          cd environments/production
-          # Generate plan for policy testing (no backend, partial plan)
          tofu plan -out=tfplan.binary 2>/dev/null || true
          if [ -f tfplan.binary ]; then
            tofu show -json tfplan.binary > tfplan.json
--- a/.gitea/workflows/security-scan.yaml
+++ b/.gitea/workflows/security-scan.yaml
@ -0,0 +1,61 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install gitleaks
+        run: |
+          wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
+          tar xzf gitleaks_8.30.0_linux_x64.tar.gz gitleaks
+          mv gitleaks /usr/local/bin/
+          rm gitleaks_8.30.0_linux_x64.tar.gz
+
+      - name: Secret Detection (gitleaks)
+        run: |
+          echo "=== Secret Detection ==="
+          gitleaks detect --source . --verbose --no-git 2>&1 || {
+            echo "::error::Gitleaks found potential secrets in the codebase!"
+            exit 1
+          }
+
+      - name: Install Trivy
+        run: |
+          wget -q https://github.com/aquasecurity/trivy/releases/download/v0.69.1/trivy_0.69.1_Linux-64bit.tar.gz
+          tar xzf trivy_0.69.1_Linux-64bit.tar.gz trivy
+          mv trivy /usr/local/bin/
+          rm trivy_0.69.1_Linux-64bit.tar.gz
+
+      - name: Trivy IaC Scan
+        run: |
+          echo "=== Trivy IaC Security Scan ==="
+          trivy config . \
+            --severity HIGH,CRITICAL \
+            --exit-code 0 \
+            --format table 2>&1
+          echo "Trivy IaC scan complete (advisory mode)"
+
+      - name: Install checkov
+        run: pip3 install -q checkov 2>&1 | tail -3
+
+      - name: Checkov IaC Security Scan
+        run: |
+          echo "=== Checkov IaC Security Scan ==="
+          checkov -d environments/ \
+            --framework terraform \
+            --soft-fail \
+            --compact \
+            --skip-check CKV_TF_1,CKV_TF_2 \
+            --output cli 2>&1 || true
+          echo "Checkov scan complete (soft-fail mode)"
--- a/atlantis.yaml
+++ b/atlantis.yaml
@ -5,7 +5,7 @@ projects:
  - name: production
    dir: environments/production
    workspace: default
-    workflow: proxmox
+    workflow: proxmox-secure
    autoplan:
      when_modified:
        - "**/*.tf"
@ -17,7 +17,7 @@ projects:
      - approved

 workflows:
-  proxmox:
+  proxmox-secure:
    plan:
      steps:
        - env:
@ -25,6 +25,15 @@ workflows:
            command: "sops -d --extract '[\"proxmox_api_token\"]' proxmox.secrets.yaml"
        - init
        - plan
+        - run: |
+            echo "=== Checkov IaC Security Scan ==="
+            tofu show -json $PLANFILE > /tmp/plan.json 2>/dev/null || true
+            if [ -f /tmp/plan.json ]; then
+              checkov -f /tmp/plan.json --framework terraform_plan --soft-fail --compact --quiet 2>&1 || true
+              rm -f /tmp/plan.json
+            else
+              echo "No plan JSON available, skipping checkov scan"
+            fi
    apply:
      steps:
        - env: