From d822f510d34121e8424aa217975c4d535d578eed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D2=89=CE=B1k=CE=B1=20x=E2=A0=A0=E2=A0=B5?=
 <32862241+4k4xs4pH1r3@users.noreply.github.com>
Date: Tue, 17 Dec 2024 19:02:33 -0500
Subject: [PATCH] Create azure-pipelines-checkov.yaml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: ҉αkα x⠠⠵ <32862241+4k4xs4pH1r3@users.noreply.github.com>
---
 DevSecOps/azure-pipelines-checkov.yaml | 79 ++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 DevSecOps/azure-pipelines-checkov.yaml

diff --git a/DevSecOps/azure-pipelines-checkov.yaml b/DevSecOps/azure-pipelines-checkov.yaml
new file mode 100644
index 0000000..274a5cc
--- /dev/null
+++ b/DevSecOps/azure-pipelines-checkov.yaml
@@ -0,0 +1,79 @@
+trigger:
+  branches:
+    include:
+      - master       
+
+pool:
+  vmImage: 'ubuntu-latest'
+
+stages:
+- stage: Checkov_Scan
+  jobs:
+  - job: Checkov_Scan
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.x'
+        architecture: 'x64'
+    - script: |
+        pip install --quiet checkov && pip install --quiet --upgrade checkov
+        export CKV_OPENAI_MAX_FINDINGS="0"
+        mkdir -p "$(Build.ArtifactStagingDirectory)/vulns"
+        checkov -d . --quiet \
+                --output cli \
+                --output csv \
+                --output-file-path "$(Build.ArtifactStagingDirectory)/vulns/" \
+                --enable-secret-scan-all-files \
+                --deep-analysis \
+                --create-baseline \
+                --run-all-external-checks \
+                --external-checks-dir devsecops/checkov/cloudformation/checks/resource/aws/ \
+                --include-all-checkov-policies \
+                --framework cloudformation \
+                --openai-api-key "$oai" \
+                --summary-position bottom \
+                --no-fail-on-crash \
+                || true
+      displayName: 'Run Checkov Scan'
+      env:
+        oai: $(oai)
+    - task: PublishPipelineArtifact@1
+      inputs:
+        targetPath: '$(Build.ArtifactStagingDirectory)/vulns'
+        artifact: 'checkov-results'
+
+- stage: Checkov_Scan_Soft_Fail
+  jobs:
+  - job: Checkov_Scan_Soft_Fail
+    steps:
+    - task: UsePythonVersion@0
+      inputs:
+        versionSpec: '3.x'
+        architecture: 'x64'
+    - script: |
+        pip install --quiet checkov && pip install --quiet --upgrade checkov
+        export CKV_OPENAI_MAX_FINDINGS="0"
+        mkdir -p "$(Build.ArtifactStagingDirectory)/vulns"
+        checkov -d . --quiet \
+                --output cli \
+                --output csv \
+                --output-file-path "$(Build.ArtifactStagingDirectory)/vulns/" \
+                --enable-secret-scan-all-files \
+                --deep-analysis \
+                --create-baseline \
+                --run-all-external-checks \
+                --external-checks-dir devsecops/checkov/cloudformation/checks/resource/aws/ \
+                --include-all-checkov-policies \
+                --framework cloudformation \
+                --openai-api-key "$oai" \
+                --summary-position bottom \
+                --no-fail-on-crash \
+                --soft-fail \
+                || true
+      displayName: 'Run Checkov Scan (Soft Fail)'
+      env:
+        oai: $(oai)
+    - task: PublishPipelineArtifact@1
+      inputs:
+        targetPath: '$(Build.ArtifactStagingDirectory)/vulns'
+        artifact: 'checkov-results-soft-fail'