Skip to content

Add InfraScan CI workflow for IaC security and cost auditing#236

Closed
igor-soldev wants to merge 2 commits into
thiagoesteves:mainfrom
igor-soldev:main
Closed

Add InfraScan CI workflow for IaC security and cost auditing#236
igor-soldev wants to merge 2 commits into
thiagoesteves:mainfrom
igor-soldev:main

Conversation

@igor-soldev

Copy link
Copy Markdown
Contributor

Summary

This PR integrates the InfraScan automated quality barrier into our CI/CD platform. The new pipeline stage runs seamlessly on every push and pull_request to assess our cloud definitions (Terraform, Kubernetes, manifests) for financial drift, misconfigurations, and software supply chain vulnerabilities.

An initial verification run has been validated over our infrastructure codebase, scanning 166 resources.

🔗 View Full Interactive Audit Report

📊 Baseline Infrastructure Metrics

  • Overall Health Grade: B (93.7%) - 199 total issues discovered
  • Cost Optimization: B (94.9%) - 14 violations
  • IaC Security: B (86.1%) - 185 violations (all Medium severity)
  • Container Security: A (100%) - 0 vulnerabilities detected

🔍 Breakdown of Top Savings Opportunities

obraz

🛠️ Changes Implemented

  • Added .github/workflows/infrascan.yml leveraging soldevelo/infrascan@v1.0.9.
  • Set to comprehensive scan profiles to fully capture underlying cloud components.
  • Configured native execution wrappers with HTML dashboard persistence uploaded straight to workflow artifacts (14-day tracking window).

@thiagoesteves

Copy link
Copy Markdown
Owner

Hi @igor-soldev , thanks for submitting a PR, this feature seems very interesting, the results are quite impressive. I would suggest to add it in a manual workflow keeps the CI clean, under .github/workflows/analysis-tools.yml using a workflow_dispatch trigger with an input parameter to select which tool to run. Something like:

on:
  workflow_dispatch:
    inputs:
      tool:
        description: 'Analysis too to run'
        required: true
        type: choice
        options:
          - <this-tool>
          - <future-tool>

@igor-soldev

Copy link
Copy Markdown
Contributor Author

Hi @thiagoesteves,
thanks for the suggestion! That makes sense. I'll move InfraScan into analysis-tools.yml and expose it through a workflow_dispatch input so it keeps the regular CI clean and leaves space for adding more analysis tools in the future.

@thiagoesteves

Copy link
Copy Markdown
Owner

@igor-soldev closing this PR to keep the Pull requests clean, feel free to propose this improvement or any other at any moment, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants