chore: create configurable security scan

.checkov.baseline

@@ -0,0 +1,59 @@
+{
+    "failed_checks": [
+        {
+            "file": "/.github/workflows/checkov-scan.yaml",
+            "findings": [
+                {
+                    "resource": "on(Security Scan)",
+                    "check_ids": [
+                        "CKV2_GHA_1"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/.github/workflows/deployment-status.yaml",
+            "findings": [
+                {
+                    "resource": "on(deployment-status)",
+                    "check_ids": [
+                        "CKV2_GHA_1"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/.github/workflows/global-variables.yaml",
+            "findings": [
+                {
+                    "resource": "on(global-variables)",
+                    "check_ids": [
+                        "CKV2_GHA_1"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/.github/workflows/test-security-scan.yaml",
+            "findings": [
+                {
+                    "resource": "on(Test Security Scan Workflows)",
+                    "check_ids": [
+                        "CKV2_GHA_1"
+                    ]
+                }
+            ]
+        },
+        {
+            "file": "/.github/workflows/trivy-scan.yaml",
+            "findings": [
+                {
+                    "resource": "on(Security Scan)",
+                    "check_ids": [
+                        "CKV2_GHA_1"
+                    ]
+                }
+            ]
+        }
+    ]
+}

.github/workflows/checkov-scan.yaml

@@ -0,0 +1,125 @@
+# .github/workflows/security-scan.yaml
+name: Security Scan
+
+on:
+  workflow_call:
+    inputs:
+      baseline:
+        description: 'Path to the Checkov baseline file (default: none)'
+        default: ''
+        required: false
+        type: string
+      path:
+        description: 'Directory path where the scan should be performed (default: .)'
+        required: false
+        default: '.'
+        type: string
+      soft-fail-on:
+        description: 'Lowest severity level to cause a failed scan (default: LOW)'
+        required: false
+        default: 'LOW'
+        type: string
+      use-test-reporter:
+        description: 'Attach the test results as a report (default: true)'
+        required: false
+        default: true
+        type: boolean
+      issue-on-findings:
+        description: 'One GitHub user to mention when creating an issue for failed scans (e.g., username). If left empty, no issue will be created.'
+        required: false
+        default: ''
+        type: string
+
+jobs:
+
+  checkov_scan:
+    outputs:
+      NOTIFICATION: ${{ steps.scan.outcome == 'failure' && 'true' || 'false' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: checkout repository
+        uses: actions/checkout@v4
+
+      - name: checkout security-scanning scripts
+        uses: actions/checkout@v4
+        with:
+          repository: zweitag/github-actions
+          ref: chore--create-configurable-Security-Scan
+          path: _security-tools
+          sparse-checkout: security-scanning
+
+      - name: create output folder
+        run: mkdir -p ./scan-results
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: setup Checkov
+        run: pip install checkov
+
+      - name: run Checkov
+        id: scan
+        env:
+          BASELINE: ${{ inputs.baseline != '' && format('--baseline {0}', inputs.baseline) || '' }}
+          SOFTFAIL: ${{ inputs.soft-fail-on != '' && format('--soft-fail-on {0}', inputs.soft-fail-on) || '' }}
+        run: |
+          checkov \
+            --directory ${{ inputs.path }} \
+            --output json \
+            $BASELINE \
+            $SOFTFAIL > ./scan-results/checkov.json
+
+      - name: convert Checkov report to CTRF format
+        if: always() && inputs.use-test-reporter
+        run: |
+          python3 _security-tools/security-scanning/checkov2ctrf.py \
+            ./scan-results/checkov.json \
+            ./scan-results/checkov.ctrf.json
+
+      - name: Publish Test Report
+        if: always() && inputs.use-test-reporter
+        uses: ctrf-io/github-test-reporter@v1
+        with:
+          report-path: './scan-results/checkov.ctrf.json'
+          template-path: '_security-tools/security-scanning/config_scan_template.hbs'
+          custom-report: true
+
+  create_issue:
+    needs: [checkov_scan]
+    runs-on: ubuntu-latest
+    if: ${{ inputs.issue-on-findings != 'false' }}
+
+    steps:
+    - name: Create issue/Comment on issue
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const repo = context.repo.repo;
+          const owner = context.repo.owner;
+          const issue_title = 'Security scan failed';
+          const issue_body = '@${{ inputs.issue-on-findings }} One or more security scans failed. Please check the workflow run for more information: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\nPlease check if the vulnerabilities are fixable. If there is a fix: Create a ticket for the fix or resolve it.\n'
+          const existing_issue = await github.rest.issues.listForRepo({
+            owner,
+            repo,
+            state: 'open',
+            labels: 'security-scan-failure'
+          });
+          if (existing_issue.data.length === 0) {
+          await github.rest.issues.create({
+            owner,
+            repo,
+            title: issue_title,
+            body: issue_body,
+            labels: ['security-scan-failure']
+            });
+          } else {
+            const issue_number = existing_issue.data[0].number;
+            await github.rest.issues.createComment({
+              owner,
+              repo,
+              issue_number,
+              body: issue_body
+            });
+          }

.github/workflows/test-security-scan.yaml

@@ -0,0 +1,67 @@
+# .github/workflows/test-security-scan.yaml
+name: Test Security Scan Workflows
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/trivy-scan.yaml'
+      - '.github/workflows/checkov-scan.yaml'
+      - '.github/workflows/test-security-scan.yaml'
+      - 'security-scanning/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/trivy-scan.yaml'
+      - '.github/workflows/checkov-scan.yaml'
+      - '.github/workflows/test-security-scan.yaml'
+      - 'security-scanning/**'
+
+jobs:
+  # Trivy Scan Tests
+
+  test-trivy-filesystem:
+    name: Test Trivy Filesystem Scan
+    uses: ./.github/workflows/trivy-scan.yaml
+    with:
+      scan-type: filesystem
+      severity-level: CRITICAL
+      use-test-reporter: true
+      check-secrets: true
+      issue-on-findings: ''
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  test-trivy-config:
+    name: Test Trivy Config Scan
+    uses: ./.github/workflows/trivy-scan.yaml
+    with:
+      scan-type: config
+      severity-level: CRITICAL
+      use-test-reporter: true
+      issue-on-findings: ''
+
+  test-trivy-image:
+    name: Test Trivy Image Scan
+    uses: ./.github/workflows/trivy-scan.yaml
+    with:
+      scan-type: image
+      path: './security-scanning/tests'
+      severity-level: CRITICAL
+      use-test-reporter: true
+      issue-on-findings: ''
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # ==========================================
+  # Checkov Scan Tests
+  # ==========================================
+
+  test-checkov:
+    name: Test Checkov Scan
+    uses: ./.github/workflows/checkov-scan.yaml
+    with:
+      soft-fail-on: CRITICAL
+      use-test-reporter: true
+      baseline: '.checkov.baseline'
+      issue-on-findings: ''