test: maks test GHA Prisma

.github/actions/checkov-scans-v1/action.yml

@@ -0,0 +1,49 @@
+name: checkov-scans
+description: Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed and sends a result to Prisma Cloud.
+
+inputs:
+  output-file-path:
+    description: output file path of Checkov scans
+    type: string
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
+    - uses: actions/checkout@v4
+    # Used to name the file from Checkov
+    - name: Extract package version
+      id: extract-version
+      shell: bash
+      run: echo "::set-output name=version::$(jq -r .version package.json)"
+    # The checkov scan
+    - name: Run Prisma Cloud
+      id: prisma-cloud
+      uses: bridgecrewio/checkov-action@v12
+      with:
+        api-key: ${{ secrets.PRISMA_ACCESS_KEY }}::${{ secrets.PRISMA_SECRET_KEY }}
+        # CLI output to the console and md file
+        output_format: cli
+        framework: sca_package,github_actions,dockerfile,secrets
+        soft_fail_on: LOW
+        output_file_path: ${{ inputs.output-file-path }}
+      env:
+        PRISMA_API_URL: ${{ secrets.PRISMA_URL }}
+    # Rename ${{ inputs.output-file-path }}/results_cli.txt to ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt
+    - name: Rename file
+      shell: bash
+      run: mv ${{ inputs.output-file-path }}/results_cli.txt ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt
+    # Create a pull request with the SCA file TODO: needed it?
+#    - name: Create PR
+#      uses: peter-evans/create-pull-request@v6
+#      with:
+#        token: ${{ secrets.GITHUB_TOKEN }}
+#        commit-message: 'docs: Generate a SCA Report'
+#        branch: auto-generate-sca-report
+#        base: develop
+#        title: 'docs: generate a SCA report'
+#        body: |
+#          This patch generates a SCA report based on the outputs from Checkov.
+#          This PR was opened by a robot :robot: :tada:
+#        add-paths: ${{ inputs.output-file-path }}/checkov_${{ steps.extract-version.outputs.version }}.txt

.github/workflows/checkov-scan.yml

@@ -0,0 +1,40 @@
+name: Checkov scan
+
+on:
+  push:
+    branches:
+#      - release
+#      - main
+      - maks-test-gha
+  schedule:
+    # Run every day at 2:00 AM
+    - cron: '0 2 * * *'
+
+jobs:
+  checkov-scan-scheduled:
+    # Will be triggerred if the scheduled event occurs on the develop branch
+#    if: github.event_name == 'schedule' && github.ref == 'refs/heads/develop'
+    if: github.event_name == 'schedule' && github.ref == 'refs/heads/maks-test-gha'
+    permissions:
+      contents: write # for actions/checkout to fetch code
+      pull-requests: write # for action to create PR
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main
+        with:
+          output-file-path: sca/
+
+  checkov-scan-on-push:
+    # Will be triggerred when there's a push event on the release or main branch
+#    if: github.event_name == 'push' && (github.ref == 'refs/heads/release' || github.ref == 'refs/heads/main')
+    if: github.event_name == 'push' && github.ref == 'refs/heads/maks-test-gha'
+    permissions:
+      contents: write # for actions/checkout to fetch code
+      pull-requests: write # for action to create PR
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - uses: dequelabs/axe-api-team-public/.github/actions/checkov-scans-v1@main
+        with:
+          output-file-path: sca/