Update the Checkov action with internal Checkov Repo

.github/workflows/aqua-security.yaml

@@ -133,7 +133,7 @@ jobs:
       if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') && (inputs.aws_account_id != '') }}
 
     - name: Docker Build and Push
-      uses: docker/build-push-action@v2
+      uses: docker/build-push-action@v6
       with:
         context: ${{ inputs.docker_file_context }}
         file: ${{ inputs.docker_file }}

.github/workflows/fortify-android.yaml

@@ -111,7 +111,7 @@ jobs:
 
       ### Clean up of build folder
       - name: Save sourceanalyzer Logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
            name: scancentral-logs

.github/workflows/fortify-sarif-export.yaml

@@ -46,8 +46,9 @@ jobs:
           # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
           fetch-depth: 2
       - name: Setup Java
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v4
         with:
+          distribution: 'temurin'
           java-version: 11
       # Pull SAST issues from Fortify on Demand and generate GitHub-optimized SARIF output
       - name: Export Results

.github/workflows/fortify.yaml

@@ -66,8 +66,9 @@ jobs:
       # Java version to use depends on the Java version required to run your build (if any),
       # and the Java version supported by the ScanCentral Client version that you are running
       - name: Setup Java
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v4
         with:
+          distribution: 'temurin'
           java-version: 11
 
       ### Set up Fortify ScanCentral Client ###
@@ -93,7 +94,7 @@ jobs:
 
       ### Archive ScanCentral Client logs on failure ###
       - name: Save ScanCentral Logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         if: failure()
         with:
            name: scancentral-logs

.github/workflows/meta.yaml

@@ -9,7 +9,7 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - uses: reviewdog/action-actionlint@v1
         if: github.event_name == 'pull_request'
       - name: Check workflow files

.github/workflows/package-creation-ecr.yaml

@@ -49,7 +49,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-skip-session-tagging: true
           role-to-assume: ${{ inputs.iam_role_arn }}

.github/workflows/sonarqube.yaml

@@ -26,7 +26,7 @@ jobs:
       - ${{ inputs.default_runner_override_label }}
       - ${{ inputs.runner_label }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
       - uses: sonarsource/sonarqube-scan-action@master

.github/workflows/terraform.yaml

@@ -15,7 +15,7 @@ on:
       checkov_skip_check:
         description: Skip a specific check_id. Can be comma separated list.
         type: string
-        default: "CKV_TF_1,CKV_TF_2"
+        default: "CKV_TF_1,CKV_TF_2,CKV_AWS_342"
         required: false
       checkov_output_quiet:
         description: Checkov output to display only failures
@@ -68,6 +68,10 @@ on:
         description: Run pre-commit against all files
         type: boolean
         default: false
+      checkov_image_version:
+        description: CHECKOV Version to scan with
+        type: string
+        default: "3.2.185"
     secrets:
       TFE_TOKEN:
         description: Terraform Cloud Token
@@ -348,9 +352,31 @@ jobs:
         id: changed-files
         uses: tj-actions/changed-files@v44
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+            role-skip-session-tagging: true
+            role-to-assume: arn:aws:iam::206977323828:role/github-ecr-access
+            role-session-name: gh-actions
+            aws-region: ap-southeast-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+        with:
+          registries: "206977323828"
+
+      - name: docker pull image first
+        shell: bash
+        run: |
+          docker pull 206977323828.dkr.ecr.ap-southeast-1.amazonaws.com/ghcr/bridgecrewio/checkov:${{ inputs.checkov_image_version}}
+
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@master
+        uses: SPHTech-Platform/checkov-action@customised-checkov
         with:
           output_format: sarif
           quiet: ${{ inputs.checkov_output_quiet }}
@@ -359,6 +385,7 @@ jobs:
           download_external_modules: ${{ inputs.checkov_download_external_modules }}
           skip_path: ${{inputs.checkov_skip_path}}
           skip_framework: ${{inputs.checkov_skip_framework}}
+          checkov_image_version: ${{ inputs.checkov_image_version}}
 
       - name: Upload Checkov scan results to GitHub Security tab
         if: inputs.upload_sarif == true