This repository showcases how to integrate checkov
within a CI pipeline using GitHub Actions.
- Define Action Secrets for the following:
DOCKER_HUB_ACCESS_TOKEN
DOCKER_HUB_USERNAME
REPO_NAME
- Initiate a new release in this repository via CLI, UI, or manually trigger a build.
- Navigate to Actions to observe the CI process in action.
- Inspect the
checkov
output. - Explore the Security tab to see how findings integrate seamlessly.
- Cleanup: Ensure you delete the newly created release and any associated tags.
Checkov can be employed during either the build or deploy phases. In the current configuration, checkov
analyzes the Dockerfile and will soft-fail (warn) before the build if it does not satisfy security criteria. However, by removing the soft-fail option, it can be configured to hard-fail (halt the build). The scan outcomes are displayed within the runner console, and findings are documented in the Github Security tab: See Findings.
For developers aiming to integrate security earlier in the development process, consider the Checkov plugin for Microsoft VS Code.