Medical-Informatics-Platform · moghit-eou · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
@@ -0,0 +1,47 @@
+---
+name: IaC Security Scanning
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  checkov-scan:
+    name: Scan IaC with Checkov
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write # required by upload-sarif to post results to the GitHub Security tab
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@de2bfaecd21d58ef232e0d2a3391c33c32c460d7 # v12.3096.0
+        with:
+          directory: .
+          framework: kubernetes,helm,kustomize
+          output_format: sarif
+          output_file_path: checkov-results.sarif
+          # Kustomize patch fragments produce false positives when scanned standalone
+          skip_path: argo-setup/patches
+          # To be removed once existing findings are resolved
+          soft_fail: true
+
+      - name: Upload SARIF to GitHub Security tab
+        # GitHub restricts token permissions on fork PRs so we skip the upload there
+        # upload only runs on push or same-repo PRs where the token has enough permissions
+        if: >-
+          always() &&
+          hashFiles('checkov-results.sarif') != '' &&
+          (github.event_name != 'pull_request' ||
+           github.event.pull_request.head.repo.full_name == github.repository)
+        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3.35.2
+        with:
+          sarif_file: checkov-results.sarif
+          category: iac-scanning