Add InfraScan audit workflow for security scanning#240
Conversation
Signed-off-by: Igor <iolszewski@soldevelo.com>
WalkthroughA new GitHub Actions workflow is added to run infrastructure security scans automatically on every push and pull request. The workflow checks out the repository, executes an InfraScan action to generate a comprehensive HTML report, and uploads it as a build artifact with 14-day retention, ensuring the report is captured even if the scan step fails. ChangesInfraScan Audit Workflow
🎯 1 (Trivial) | ⏱️ ~3 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
.github/workflows/infrascan.yml (2)
14-17: ⚡ Quick winReduce directory permissions for least privilege.
chmod 777is overly permissive and unnecessary in the GitHub Actions runner environment. Usechmod 755or remove thechmodcommand entirely.🔐 Proposed fix to use appropriate permissions
- name: Create Reports Directory run: | mkdir -p infrascan-reports - chmod 777 infrascan-reports + chmod 755 infrascan-reportsOr simply remove the
chmodline since default permissions are sufficient for this use case.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/infrascan.yml around lines 14 - 17, The workflow step "Create Reports Directory" currently sets overly permissive permissions with the line `chmod 777 infrascan-reports`; change this to `chmod 755 infrascan-reports` or remove the `chmod` command entirely (keeping `mkdir -p infrascan-reports`) so the directory uses least-privilege/default permissions in the GitHub Actions runner.
3-5: ⚡ Quick winConsider filtering workflow triggers to specific branches.
The workflow runs on all
pushandpull_requestevents across all branches, which may generate unnecessary workflow runs and increase CI costs. Consider filtering to key branches likemasteror specific release branches.⚙️ Proposed configuration to limit triggers
on: push: + branches: + - master pull_request: + branches: + - master🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/infrascan.yml around lines 3 - 5, The workflow currently triggers on all push and pull_request events (the top-level keys "on", "push", and "pull_request"); narrow the triggers to only target important branches by replacing those keys with branch filters (e.g., push: branches: [main, master, release/*] and pull_request: branches: [main, master, release/*]) so CI only runs for key branches or release branches; update the "on" section accordingly to include the branch arrays and any exceptions (paths or tags) as needed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/infrascan.yml:
- Line 12: Replace mutable action tags with immutable commit SHAs for each
GitHub Action usage (e.g., the checkout action reference "actions/checkout@v4",
the infrascan action "soldevelo/infrascan@v1.0.6", and the upload artifact
action "actions/upload-artifact@v4"); find the uses: lines and change them to
their corresponding full commit SHA pins while leaving a trailing comment with
the human-friendly version (e.g., "// actions/checkout@v4") for maintainability
so the workflow uses pinned SHAs and retains version context.
- Around line 11-12: The GitHub Actions checkout step using actions/checkout@v4
is leaving credentials persisted; update that step by adding the option
persist-credentials: false to the checkout action (i.e., modify the Checkout
code block for uses: actions/checkout@v4 to include persist-credentials: false)
so credentials are not kept and cannot be leaked via uploaded artifacts.
---
Nitpick comments:
In @.github/workflows/infrascan.yml:
- Around line 14-17: The workflow step "Create Reports Directory" currently sets
overly permissive permissions with the line `chmod 777 infrascan-reports`;
change this to `chmod 755 infrascan-reports` or remove the `chmod` command
entirely (keeping `mkdir -p infrascan-reports`) so the directory uses
least-privilege/default permissions in the GitHub Actions runner.
- Around line 3-5: The workflow currently triggers on all push and pull_request
events (the top-level keys "on", "push", and "pull_request"); narrow the
triggers to only target important branches by replacing those keys with branch
filters (e.g., push: branches: [main, master, release/*] and pull_request:
branches: [main, master, release/*]) so CI only runs for key branches or release
branches; update the "on" section accordingly to include the branch arrays and
any exceptions (paths or tags) as needed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 5e3bd675-4152-4ecd-8c3c-aafa0aa8f6bb
📒 Files selected for processing (1)
.github/workflows/infrascan.yml
| - name: Checkout code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Set persist-credentials: false to prevent credential leakage.
The checkout action persists credentials by default, which could be exposed through uploaded artifacts. Since this workflow uploads artifacts, explicitly disable credential persistence.
🔒 Proposed fix to disable credential persistence
- name: Checkout code
uses: actions/checkout@v4
+ with:
+ persist-credentials: falseAs per static analysis hint: "credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false"
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/infrascan.yml around lines 11 - 12, The GitHub Actions
checkout step using actions/checkout@v4 is leaving credentials persisted; update
that step by adding the option persist-credentials: false to the checkout action
(i.e., modify the Checkout code block for uses: actions/checkout@v4 to include
persist-credentials: false) so credentials are not kept and cannot be leaked via
uploaded artifacts.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Pin actions to full commit SHAs for supply chain security.
All three actions use tag references which are mutable and can be rewritten by attackers. Pin to full commit SHAs to protect against supply chain attacks.
🔐 Example fix for SHA pinning
- name: Checkout code
- uses: actions/checkout@v4
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1Apply similar pinning for soldevelo/infrascan@v1.0.6 and actions/upload-artifact@v4. Use full commit SHAs with version comments for maintainability.
As per static analysis hint: "unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)"
Also applies to: 20-20, 27-27
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/infrascan.yml at line 12, Replace mutable action tags with
immutable commit SHAs for each GitHub Action usage (e.g., the checkout action
reference "actions/checkout@v4", the infrascan action
"soldevelo/infrascan@v1.0.6", and the upload artifact action
"actions/upload-artifact@v4"); find the uses: lines and change them to their
corresponding full commit SHA pins while leaving a trailing comment with the
human-friendly version (e.g., "// actions/checkout@v4") for maintainability so
the workflow uses pinned SHAs and retains version context.
1 participant
Description
This PR introduces an automated InfraScan GitHub Actions workflow to the mosip/infra repository in order to continuously scan infrastructure-as-code configurations for security vulnerabilities and cost optimization opportunities.
The workflow runs on every
pushandpull_requestevent and executes a comprehensive InfraScan analysis of Terraform definitions. It generates an HTML report and uploads it as a GitHub Actions artifact for further inspection.This change is a follow-up to the InfraScan analysis and findings shared in the: #200
The referenced analysis identified multiple areas for improvement across the infrastructure codebase, including:
The full InfraScan report used for validation is available here:
https://infrascan.soldevelo.com/?scan_id=6bf4a14c-ed6b-45f0-8e23-a381845bfaab
By introducing this workflow, the repository gains continuous infrastructure security validation directly in CI/CD, ensuring that similar misconfigurations are detected early in future changes and before reaching production environments.
Summary by CodeRabbit