name: "Terraform security scan"

on:
  push:
    branches: [main]
    paths:
      - "aws/**"
      - ".github/workflows/terraform-security-scan.yml"
  pull_request:
    paths:
      - "aws/**"
      - ".github/workflows/terraform-security-scan.yml"

jobs:
  terraform-security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Checkov security scan
        uses: bridgecrewio/checkov-action@097919de4f8058fb4478275f36e6708d12a9f53a # latest as of December 2023
        with:
          directory: aws
          framework: terraform
          quiet: true
          output_format: cli
          soft_fail: false