From 2b528e5e1c13b49ec5f17d50c8032be6675065b2 Mon Sep 17 00:00:00 2001
From: moghit-eou <moghit.elouaad1@gmail.com>
Date: Fri, 20 Mar 2026 01:55:17 +0000
Subject: [PATCH 1/5] feat: add IaC security scanning with Checkov...

---
 .github/workflows/iac-scanning.yml | 43 ++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/iac-scanning.yml

diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
new file mode 100644
index 0000000..c52014b
--- /dev/null
+++ b/.github/workflows/iac-scanning.yml
@@ -0,0 +1,43 @@
+---
+name: IaC Security Scanning
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  checkov-scan:
+    name: Scan IaC with Checkov
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          framework: kubernetes,helm,kustomize
+          output_format: sarif
+          output_file_path: checkov-results.sarif
+          # skip three specific rules that produce false positives
+          # these rules fires on ArgoCD resource types
+          # Checkov doesn't fully understand ArgoCD and flags them incorrectly
+          # also skip it for real Kubernetes workload files and this is a security gap
+          skip_check: CKV_K8S_35,CKV_K8S_8,CKV_K8S_9 
+                    
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always() && hashFiles('checkov-results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov-results.sarif
+          category: iac-scanning
\ No newline at end of file

From 071a9cc142029491cc0014dfba0c726f03ab498b Mon Sep 17 00:00:00 2001
From: moghit-eou <moghit.elouaad1@gmail.com>
Date: Fri, 20 Mar 2026 01:57:57 +0000
Subject: [PATCH 2/5] feat: add IaC security scanning with Checkov...

---
 .github/workflows/iac-scanning.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
index c52014b..c042ed0 100644
--- a/.github/workflows/iac-scanning.yml
+++ b/.github/workflows/iac-scanning.yml
@@ -2,10 +2,7 @@
 name: IaC Security Scanning
 
 on:
-  pull_request:
-    branches: [main]
   push:
-    branches: [main]
 
 jobs:
   checkov-scan:

From 0c16379d843496f26b60a0d831713acbd1316e24 Mon Sep 17 00:00:00 2001
From: moghit-eou <moghit.elouaad1@gmail.com>
Date: Fri, 20 Mar 2026 01:59:50 +0000
Subject: [PATCH 3/5] feat: add IaC security scanning with Checkov with soft
 failing

---
 .github/workflows/iac-scanning.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
index c042ed0..db869e4 100644
--- a/.github/workflows/iac-scanning.yml
+++ b/.github/workflows/iac-scanning.yml
@@ -29,7 +29,9 @@ jobs:
           # these rules fires on ArgoCD resource types
           # Checkov doesn't fully understand ArgoCD and flags them incorrectly
           # also skip it for real Kubernetes workload files and this is a security gap
-          skip_check: CKV_K8S_35,CKV_K8S_8,CKV_K8S_9 
+          skip_check: CKV_K8S_35,CKV_K8S_8,CKV_K8S_9
+          soft_fail: true
+
                     
 
       - name: Upload SARIF to GitHub Security tab

From 23b0bca832e24dadfb864e7b6662724c8a3e9868 Mon Sep 17 00:00:00 2001
From: moghit-eou <moghit.elouaad1@gmail.com>
Date: Fri, 20 Mar 2026 02:21:05 +0000
Subject: [PATCH 4/5] fix: restore triggers on main branch only

---
 .github/workflows/iac-scanning.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
index db869e4..84fb959 100644
--- a/.github/workflows/iac-scanning.yml
+++ b/.github/workflows/iac-scanning.yml
@@ -2,7 +2,10 @@
 name: IaC Security Scanning
 
 on:
+  pull_request:
+    branches: [main]
   push:
+    branches: [main]
 
 jobs:
   checkov-scan:

From 6dd5f7f714a0b7a11497fc8397c8ba12a52e82e8 Mon Sep 17 00:00:00 2001
From: moghit-eou <moghit.elouaad1@gmail.com>
Date: Sun, 5 Apr 2026 18:30:56 +0100
Subject: [PATCH 5/5] fix(ci): replace global skip_check with skip_path for
 argo-setup/patches

---
 .github/workflows/iac-scanning.yml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
index 84fb959..53a94f6 100644
--- a/.github/workflows/iac-scanning.yml
+++ b/.github/workflows/iac-scanning.yml
@@ -28,15 +28,10 @@ jobs:
           framework: kubernetes,helm,kustomize
           output_format: sarif
           output_file_path: checkov-results.sarif
-          # skip three specific rules that produce false positives
-          # these rules fires on ArgoCD resource types
-          # Checkov doesn't fully understand ArgoCD and flags them incorrectly
-          # also skip it for real Kubernetes workload files and this is a security gap
-          skip_check: CKV_K8S_35,CKV_K8S_8,CKV_K8S_9
+          skip_path: argo-setup/patches          
           soft_fail: true
 
                     
-
       - name: Upload SARIF to GitHub Security tab
         if: always() && hashFiles('checkov-results.sarif') != ''
         uses: github/codeql-action/upload-sarif@v3