Add checkov GitHub actions (#962)

### Feature or Bugfix
- Feature

### Detail
#### Checkov
Add checkov github action on PRs and push to `main`
Checkov scans ignore the paths: tests/, .github, compose/, docker/dev/
that contain support or local development files.

The PR ignores the findings, which should (or not) be handled in a
separate PR
- CKV_DOCKER_2, CKV_DOCKER_4 are skipped in the checkov github action
definition. They are LOW severity recommendations
-
[CKV_DOCKER_2](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images)
- Healthcheck instructions have not been added to container images
-
[CKV_DOCKER_4](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles)
- Copy is not used instead of Add in Dockerfiles
- Some CloudFormation findings on the pivot role and in the cdk
execution role YAML templated are skipped with `# checkov:skip=`
comments. We should review each finding one by one.

In addition, other next steps include the assessment of how we can
synthesize cdk templates so that checkov scans them.

#### Other changes
- upgraded all Python version to 3.9 in all actions
- removed duplicated `static-checking.yaml` test in favor of `flake8`
(Renamed from `Lint`
- standardize names

### Relates
- #881 

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

.github/workflows/validate-db-schema.yml → .github/workflows/alembic-tests.yml

@@ -1,5 +1,4 @@
-name: Validate DB migration with alembic
-
+name: alembic migration tests
 on:
   workflow_dispatch:
   pull_request:
@@ -17,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [ 3.8 ]
+        python-version: [ 3.9 ]
     services:
       postgres:
         image: postgres

.github/workflows/ash.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python ${{ matrix.python-version }}

.github/workflows/bandit.yml

@@ -17,7 +17,7 @@ jobs:
   bandit:
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

.github/workflows/cdk-nag.yml

@@ -21,7 +21,7 @@ jobs:
   cdk-nag:
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
     env:
       CDK_DEFAULT_REGION: eu-west-1
       CDK_DEFAULT_ACCOUNT: 111111111111

.github/workflows/checkov.yml

@@ -0,0 +1,35 @@
+name: checkov
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - v2m*
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+      - name: Test with Checkov
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: .
+          quiet: true
+          skip_path: tests/, .github, compose/, docker/dev/
+          hard_fail_on: MEDIUM
+          soft_fail_on: LOW
+          skip_check: CKV_DOCKER_2,CKV_DOCKER_4

.github/workflows/eslint.yml

@@ -1,4 +1,4 @@
-name: Run eslint
+name: eslint
 
 on:
   workflow_dispatch:

.github/workflows/lint.yml → .github/workflows/flake8.yml

@@ -1,4 +1,4 @@
-name: Run Lint
+name: flake8
 
 on:
   workflow_dispatch:
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
 
     steps:
       - uses: actions/checkout@v2
@@ -28,5 +28,5 @@ jobs:
           python -m pip install --upgrade pip
           python -m pip install isort
           python -m pip install flake8
-      - name: Lint
+      - name: flake8
         run: python -m flake8 --exclude cdk.out,blueprints --ignore E402,E501,F841,W503,F405,F403,F401,E712,E203 backend/

.github/workflows/coverage.yml → .github/workflows/integration-tests.yml

@@ -1,4 +1,4 @@
-name: Coverage
+name: Integration tests
 
 on:
   workflow_dispatch:
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [ 3.8 ]
+        python-version: [ 3.9 ]
     services:
       postgres:
         image: postgres

.github/workflows/npm-audit.yml

@@ -1,4 +1,4 @@
-name: Run npm-audit
+name: npm-audit
 
 on:
   workflow_dispatch:

.github/workflows/semgrep.yml

@@ -1,4 +1,4 @@
-name: Run Semgrep
+name: semgrep
 
 on:
   workflow_dispatch:

deploy/cdk_exec_policy/cdkExecPolicy.yaml

@@ -11,6 +11,10 @@ Parameters:
 Resources:
   CDKCustomExecutionPolicy0:
     Type: 'AWS::IAM::ManagedPolicy'
+    # checkov:skip=CKV_AWS_107:Ensure IAM policies does not allow credentials exposure
+    # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints
+    # checkov:skip=CKV_AWS_110:Ensure IAM policies does not allow privilege escalation
+    # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints
     Properties:
       ManagedPolicyName: !Ref PolicyName
       PolicyDocument:

deploy/pivot_role/pivotRole.yaml

@@ -48,6 +48,8 @@ Resources:
                 ]
   PivotRolePolicy0:
     Type: 'AWS::IAM::ManagedPolicy'
+    # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints
+    # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints
     Properties:
       PolicyDocument:
         Version: 2012-10-17
@@ -221,6 +223,8 @@ Resources:
 
   PivotRolePolicy1:
     Type: 'AWS::IAM::ManagedPolicy'
+    # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints
+    # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints
     Properties:
       PolicyDocument:
         Version: 2012-10-17
@@ -421,6 +425,7 @@ Resources:
 
   PivotRolepolicy3:
     Type: 'AWS::IAM::ManagedPolicy'
+    # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints
     Properties:
       PolicyDocument:
         Version: 2012-10-17