Security Scanning Workflows

Seven workflows cover static analysis of infrastructure code and runtime cloud security scanning across AWS, Azure, and GCP.

---

security-checkov

Scan infrastructure-as-code for security violations using Checkov — detects misconfigurations in Terraform, CloudFormation, Kubernetes, and Dockerfile. Results are posted to the GitHub Security tab as SARIF.

View workflow →

When to use: On every pull request that touches infrastructure code.

jobs:
  checkov:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-checkov.yml@master
    with:
      directory: ./infra          # required: path to scan
      continue_on_error: false    # fail the workflow on findings
      skip_check: CKV_AWS_18,CKV_AWS_21  # comma-separated checks to skip
      output_format: sarif
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Input	Required	Default	Description
directory	Yes	—	Directory to scan
continue_on_error	No	false	Continue even if checks fail
var_file	No	—	Terraform .tfvars file
skip_check	No	—	Checks to skip (comma-separated)
output_format	No	sarif	Output format

---

security-tfsec

Terraform security scanning with SARIF reporting and PR comments — uses tfsec to catch Terraform-specific security issues and posts findings as a PR comment.

View workflow →

jobs:
  tfsec:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-tfsec.yml@master
    with:
      working_directory: ./examples/
    secrets:
      GITHUB: ${{ secrets.GITHUB_TOKEN }}

Input	Required	Default	Description
working_directory	No	./examples/	Directory to scan

---

security-prowler

Multi-cloud security scanning with Prowler — runs Prowler against AWS, Azure, or GCP and outputs findings as SARIF.

View workflow →

# AWS
jobs:
  prowler:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-prowler.yml@master
    with:
      cloud_provider: aws       # aws | azure | gcp
      aws_region: us-east-1
    secrets:
      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

# GCP
    with:
      cloud_provider: gcp
      project_id: my-gcp-project
    secrets:
      WIP: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
      SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}

Input	Required	Description
cloud_provider	Yes	aws, azure, or gcp
project_id	No	GCP project ID
aws_region	No	AWS region

---

security-powerpipe

Multi-cloud compliance checks with Powerpipe — runs compliance benchmarks (CIS, HIPAA, SOC 2, PCI DSS) across AWS, Azure, GCP, and OCI.

View workflow →

When to use: Scheduled compliance audits or pre-audit validation runs.

jobs:
  compliance:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-powerpipe.yml@master
    with:
      cloud_provider: aws     # required: aws | azure | gcp | oci
      mod_url: github.com/turbot/steampipe-mod-aws-compliance
      benchmarks: cis_v150
    secrets:
      TOKEN: ${{ secrets.GITHUB_TOKEN }}
      aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }}

Input	Required	Description
cloud_provider	Yes	aws, azure, gcp, or oci
mod_url	No	Powerpipe/Steampipe mod to install
controls	No	Specific controls to run
benchmarks	No	Benchmark to run (e.g., cis_v150)

---

aws-prowler

AWS-specific Prowler scan with S3 storage and Slack notifications — runs Prowler against AWS accounts, optionally uploads results to S3, and can forward findings to AWS Security Hub.

View workflow →

jobs:
  aws-prowler:
    uses: clouddrove/github-shared-workflows/.github/workflows/aws-prowler.yml@master
    with:
      cloud_provider: aws
      aws_region: us-east-1
      enable_s3_upload: true
      enable_slack_notification: true
      send_to_securityhub: true
    secrets:
      BUILD_ROLE: ${{ secrets.BUILD_ROLE }}
      TARGET_ACCOUNT_ID: ${{ secrets.TARGET_ACCOUNT_ID }}
      S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

---

gcp-prowler

GCP-specific Prowler scan with GCS storage and Slack notifications — runs Prowler against GCP projects and optionally uploads findings to a GCS bucket.

View workflow →

jobs:
  gcp-prowler:
    uses: clouddrove/github-shared-workflows/.github/workflows/gcp-prowler.yml@master
    with:
      cloud_provider: gcp
      gcp_project_ids: my-project-id
      enable_gcs_upload: true
      enable_slack_notification: true
    secrets:
      WIP: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
      SERVICE_ACCOUNT: ${{ secrets.SERVICE_ACCOUNT }}
      GCS_BUCKET_NAME: ${{ secrets.GCS_BUCKET_NAME }}
      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

---

pr-gitleaks-scan

Detect exposed secrets in pull request changes — runs Gitleaks on the PR diff to catch API keys, tokens, and passwords before they reach the main branch.

View workflow →

When to use: On every pull request. This is a critical security control — add it to all repositories.

jobs:
  secrets-scan:
    uses: clouddrove/github-shared-workflows/.github/workflows/pr-gitleaks-scan.yml@master
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

warning

Always run this workflow on pull requests. Leaked secrets that reach your git history are extremely difficult to fully remediate.