Skip to content
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
21faabf
Create outputs.tf
manishvishwakarma89 May 19, 2026
6613eff
build and testing code-quality-check.yml
manishvishwakarma89 May 20, 2026
bbb97aa
Create secret-scan.yml
manishvishwakarma89 May 20, 2026
c7e7d12
Create dependency-scan.yml
manishvishwakarma89 May 20, 2026
438bcc9
Create docker-lint.yml
manishvishwakarma89 May 20, 2026
d782154
Create devsecops-pipeline.yml
manishvishwakarma89 May 20, 2026
4425041
Create image-scan.yml
manishvishwakarma89 May 20, 2026
74d0365
Update devsecops-pipeline.yml
manishvishwakarma89 May 20, 2026
6b4c582
Create tests.yml
manishvishwakarma89 May 20, 2026
6b62387
Create deploy-to-server.yml
manishvishwakarma89 May 20, 2026
169b100
Create docker-build-push.yml
manishvishwakarma89 May 20, 2026
43a2dc6
Create playbook.yml
manishvishwakarma89 May 20, 2026
0b7cd18
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
135d33d
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
eef392f
Update go-version
manishvishwakarma89 May 20, 2026
918f30d
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
5af7b19
Update large go-version
manishvishwakarma89 May 20, 2026
ea1538a
Update code-quality
manishvishwakarma89 May 20, 2026
faaa4dd
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
75573fc
Update go.mod
manishvishwakarma89 May 20, 2026
f71a036
Updated ci registry pipeline
manishvishwakarma89 May 20, 2026
5fce991
Update code-quality-check.yml
manishvishwakarma89 May 20, 2026
3f19b5b
Updated go-lang
manishvishwakarma89 May 20, 2026
a8d254b
Update go lang dependencies
manishvishwakarma89 May 20, 2026
59d4e1b
Update go matrix
manishvishwakarma89 May 21, 2026
4424b28
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
8c7103e
Update go-lint
manishvishwakarma89 May 21, 2026
d2f8b75
Update go.mod
manishvishwakarma89 May 21, 2026
71f6604
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
2fcf285
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
472dd2c
Update code-quality-check.yml
manishvishwakarma89 May 21, 2026
fdd9a5d
Update go.mod
manishvishwakarma89 May 21, 2026
854381c
Update main.go
manishvishwakarma89 May 21, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 91 additions & 0 deletions .github/workflows/code-quality-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: Go Code Quality

on:
workflow_call:

jobs:
code-quality:
runs-on: ubuntu-latest

strategy:
fail-fast: false

matrix:
go-version: ["1.21", "1.22", "1.23"]

steps:
# ==============================
# Checkout Repository
# ==============================

- name: Checkout Code
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow action refs are SHA-pinned (40 hex chars)
rg -n '^\s*uses:\s*[^@]+@' .github/workflows \
| rg -n -v '@[0-9a-fA-F]{40}$'

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 495


Pin all GitHub Actions to commit SHAs.

Lines 22, 29, and 81 use tag refs (@v4, @v5, @v6) instead of immutable commit SHAs. This is a supply-chain hardening gap and will fail strict pinning policies.

Suggested patch
-      - name: Checkout Code
-        uses: actions/checkout@v4
+      - name: Checkout Code
+        uses: actions/checkout@<full-length-commit-sha>

-      - name: Setup Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
+      - name: Setup Go ${{ matrix.go-version }}
+        uses: actions/setup-go@<full-length-commit-sha>
         with:
           go-version: ${{ matrix.go-version }}

       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@<full-length-commit-sha>
         with:
           version: latest
🧰 Tools
🪛 zizmor (1.25.2)

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/code-quality-check.yml at line 22, Replace the floating
action tags with immutable commit SHAs for all "uses:" entries currently
referenced by tags (e.g., actions/checkout@v4, actions/setup-node@v5,
actions/cache@v6) so the workflow pins exact commits; locate each "uses:" line
in the workflow and swap the tag (e.g., `@v4/`@v5/@v6) with the corresponding full
commit SHA from the action's GitHub repo, update any README/maintainer note if
present to document the pinned SHAs, and run a quick local workflow lint to
ensure the YAML remains valid.


Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout steps explicitly disable credential persistence
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows
rg -n 'persist-credentials:\s*false' .github/workflows

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 945


🏁 Script executed:

cat -n .github/workflows/code-quality-check.yml | sed -n '15,30p'

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 596


🏁 Script executed:

cat -n .github/workflows/cd-k8s.yml | sed -n '14,22p'

Repository: LondheShubham153/github-actions-kubernetes-masterclass

Length of output: 391


🌐 Web query:

GitHub actions checkout persist-credentials security best practice

💡 Result:

Best-practice answer (security): set persist-credentials: false on actions/checkout unless you specifically need later steps to run authenticated git commands using the checkout token. Why: actions/checkout can persist the auth token in the local git config so scripts can run authenticated git commands, and the token is removed during post-job cleanup; opting out via persist-credentials: false prevents that persistence. [1][2] Recommended pattern - Always harden checkout steps: - uses: actions/checkout@v4 (or newer) - with: persist-credentials: false This ensures the token is not persisted to the repository’s git configuration for subsequent steps. [1][2] When you might keep it enabled - Only when you truly need later steps to run authenticated git operations without manually reconfiguring credentials (for example, actions that assume the persisted credentials are available after checkout). [1][3] Additional defense-in-depth (separate from persist-credentials) - Constrain GITHUB_TOKEN permissions (e.g., use a permissions block / least privilege) so that even if credentials were exposed, the blast radius is reduced. [4] Concrete example - name: Checkout uses: actions/checkout@v4 with: persist-credentials: false This is the explicit remediation repeatedly called out by the checkout action maintainers’ guidance and security discussions. [2][5]

Citations:


Add persist-credentials: false to disable credential persistence.

The actions/checkout@v4 step should set persist-credentials: false to prevent the GITHUB_TOKEN from being left in the local git config for subsequent steps, reducing the window of exposure if a step is compromised.

Suggested patch
      - name: Checkout Code
        uses: actions/checkout@v4
+       with:
+         persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout Code
uses: actions/checkout@v4
- name: Checkout Code
uses: actions/checkout@v4
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 21-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/code-quality-check.yml around lines 21 - 23, The Checkout
Code step (name: "Checkout Code", uses: actions/checkout@v4) currently leaves
credentials persisted; update the step to add persist-credentials: false so the
GITHUB_TOKEN is not written to the local git config for later steps, ensuring
the checkout step explicitly disables credential persistence by adding that key
under the same step.

# ==============================
# Setup Go Environment
# ==============================

- name: Setup Go ${{ matrix.go-version }}
uses: actions/setup-go@v5
with:
go-version: ${{ matrix.go-version }}

# ==============================
# Verify Go Installation
# ==============================

- name: Verify Go Version
run: go version

# ==============================
# Verify go.mod Exists
# ==============================

- name: Check go.mod
run: |
if [ ! -f go.mod ]; then
echo "go.mod file not found!"
exit 1
fi

# ==============================
# Install Dependencies
# ==============================

- name: Install Dependencies
run: |
go mod tidy
go mod download

# ==============================
# Format Check
# ==============================

- name: Run gofmt
run: |
test -z "$(gofmt -l .)"

# ==============================
# Static Analysis
# ==============================

- name: Run go vet
run: |
go vet ./...

# ==============================
# GolangCI Lint
# ==============================

- name: Run golangci-lint
uses: golangci/golangci-lint-action@v6
with:
version: latest

# ==============================
# Run Unit Tests
# ==============================

- name: Run Tests
run: |
go test ./... -v
7 changes: 7 additions & 0 deletions terraform-iac/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "instance_public_ip" {
value = aws_instance.my_ec2.public_ip
}

output "instance_id" {
value = aws_instance.my_ec2.id
}