Skip to content

GitHub Actions

Basic Scan with SARIF

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      id-token: write    # For OIDC
      security-events: write  # For SARIF upload
    steps:
      - uses: actions/checkout@v4
      - run: pip install cloud-audit
      - run: cloud-audit scan --format sarif --output results.sarif
        env:
          AWS_REGION: eu-central-1
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Daily Drift Detection

See daily-scan-with-diff.yml for a complete workflow that:

  1. Runs a daily scan on a schedule
  2. Compares against yesterday's baseline (cached)
  3. Creates an issue if regressions are detected
  4. Updates the baseline cache

Post-Deploy Scan

See post-deploy-scan.yml for scanning before and after terraform apply.

OIDC Authentication

cloud-audit supports OIDC authentication with AWS. Configure your IAM role to trust the GitHub Actions OIDC provider and use aws-actions/configure-aws-credentials:

- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/security-scan
    aws-region: eu-central-1

See OIDC setup guide for IAM role configuration.