Medical-Informatics-Platform · moghit-eou · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.github/workflows/iac-scanning.yml b/.github/workflows/iac-scanning.yml
@@ -0,0 +1,40 @@
+---
+name: IaC Security Scanning
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+jobs:
+  checkov-scan:
+    name: Scan IaC with Checkov
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          directory: .
+          framework: kubernetes,helm,kustomize
+          output_format: sarif
+          output_file_path: checkov-results.sarif
+          skip_path: argo-setup/patches          
+          soft_fail: true
+
+
+      - name: Upload SARIF to GitHub Security tab
+        if: always() && hashFiles('checkov-results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: checkov-results.sarif
+          category: iac-scanning