Add checkov and gitleaks inputs

schuster-riege · Copilot · schuster-riege · commit 0f45e943f38a · 2026-04-01T14:27:50.000+02:00
- expose VALIDATE_CHECKOV and VALIDATE_GITLEAKS

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/super-linter-non-slim.yml b/.github/workflows/super-linter-non-slim.yml
@@ -42,6 +42,18 @@ on:
         default: false
         description: >
           "Enable GitHub Actions validation."
+      VALIDATE_CHECKOV:
+        required: false
+        type: boolean
+        default: false
+        description: >
+          "Enable Checkov validation."
+      VALIDATE_GITLEAKS:
+        required: false
+        type: boolean
+        default: false
+        description: >
+          "Enable Gitleaks validation."
 
 jobs:
   build:
@@ -61,7 +73,7 @@ jobs:
           ref: ${{ inputs.CODEQUALITY_REF }}
 
       - name: Lint Code Base (YAML/Markdown)
-        if: ${{ inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS }}
+        if: ${{ inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS || inputs.VALIDATE_CHECKOV || inputs.VALIDATE_GITLEAKS }}
         uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
@@ -114,8 +126,40 @@ jobs:
           TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
           SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
 
+      - name: Lint Code Base (Checkov)
+        if: ${{ inputs.VALIDATE_CHECKOV }}
+        uses: github/super-linter@v7
+        env:
+          ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
+          ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
+          CHECKOV_FILE_NAME: checkov/.checkov.yaml
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ github.token }}
+          JAVA_FILE_NAME: java/checkstyle/checkstyle.xml
+          LINTER_RULES_PATH: "${{ inputs.CODEQUALITY_PATH }}/"
+          VALIDATE_ALL_CODEBASE: "${{ inputs.VALIDATE_ALL_CODEBASE }}"
+          VALIDATE_CHECKOV: "true"
+          TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
+          SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
+
+      - name: Lint Code Base (Gitleaks)
+        if: ${{ inputs.VALIDATE_GITLEAKS }}
+        uses: github/super-linter@v7
+        env:
+          ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
+          ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
+          CHECKOV_FILE_NAME: checkov/.checkov.yaml
+          DEFAULT_BRANCH: main
+          GITHUB_TOKEN: ${{ github.token }}
+          JAVA_FILE_NAME: java/checkstyle/checkstyle.xml
+          LINTER_RULES_PATH: "${{ inputs.CODEQUALITY_PATH }}/"
+          VALIDATE_ALL_CODEBASE: "${{ inputs.VALIDATE_ALL_CODEBASE }}"
+          VALIDATE_GITLEAKS: "true"
+          TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
+          SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
+
       - name: Lint Code Base (exclude mode)
-        if: ${{ !(inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS) }}
+        if: ${{ !(inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS || inputs.VALIDATE_CHECKOV || inputs.VALIDATE_GITLEAKS) }}
         uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -51,6 +51,18 @@ on:
         default: false
         description: >
           "Enable GitHub Actions validation."
+      VALIDATE_CHECKOV:
+        required: false
+        type: boolean
+        default: false
+        description: >
+          "Enable Checkov validation."
+      VALIDATE_GITLEAKS:
+        required: false
+        type: boolean
+        default: false
+        description: >
+          "Enable Gitleaks validation."
 
 jobs:
   build:
@@ -73,8 +85,8 @@ jobs:
         run: git config --global url."https://${{ github.token }}:x-oauth-basic@github.com/".insteadOf "https://github.com/"
 
       - name: Lint Code Base (YAML/Markdown)
-        if: ${{ inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS }}
-        uses: github/super-linter/slim@v7
+        if: ${{ inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS || inputs.VALIDATE_CHECKOV || inputs.VALIDATE_GITLEAKS }}
+        uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
           ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
@@ -95,7 +107,7 @@ jobs:
 
       - name: Lint Code Base (kubeval)
         if: ${{ inputs.VALIDATE_KUBERNETES_KUBEVAL }}
-        uses: github/super-linter/slim@v7
+        uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
           ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
@@ -113,7 +125,7 @@ jobs:
 
       - name: Lint Code Base (GitHub Actions)
         if: ${{ inputs.VALIDATE_GITHUB_ACTIONS }}
-        uses: github/super-linter/slim@v7
+        uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
           ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
@@ -129,9 +141,43 @@ jobs:
           TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
           SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
 
+      - name: Lint Code Base (Checkov)
+        if: ${{ inputs.VALIDATE_CHECKOV }}
+        uses: github/super-linter@v7
+        env:
+          ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
+          ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
+          CHECKOV_FILE_NAME: checkov/.checkov.yaml
+          DEFAULT_BRANCH: main
+          FILTER_REGEX_EXCLUDE: "${{ inputs.FILTER_REGEX_EXCLUDE }}"
+          GITHUB_TOKEN: ${{ github.token }}
+          JAVA_FILE_NAME: java/checkstyle/checkstyle.xml
+          LINTER_RULES_PATH: "${{ inputs.CODEQUALITY_PATH }}/"
+          VALIDATE_ALL_CODEBASE: "${{ inputs.VALIDATE_ALL_CODEBASE }}"
+          VALIDATE_CHECKOV: "true"
+          TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
+          SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
+
+      - name: Lint Code Base (Gitleaks)
+        if: ${{ inputs.VALIDATE_GITLEAKS }}
+        uses: github/super-linter@v7
+        env:
+          ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
+          ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
+          CHECKOV_FILE_NAME: checkov/.checkov.yaml
+          DEFAULT_BRANCH: main
+          FILTER_REGEX_EXCLUDE: "${{ inputs.FILTER_REGEX_EXCLUDE }}"
+          GITHUB_TOKEN: ${{ github.token }}
+          JAVA_FILE_NAME: java/checkstyle/checkstyle.xml
+          LINTER_RULES_PATH: "${{ inputs.CODEQUALITY_PATH }}/"
+          VALIDATE_ALL_CODEBASE: "${{ inputs.VALIDATE_ALL_CODEBASE }}"
+          VALIDATE_GITLEAKS: "true"
+          TERRAFORM_TFLINT_CONFIG_FILE: terraform/.tflint.hcl
+          SQLFLUFF_CONFIG_FILE: sqlfluff/.sqlfluff-lint
+
       - name: Lint Code Base (exclude mode)
-        if: ${{ !(inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS) }}
-        uses: github/super-linter/slim@v7
+        if: ${{ !(inputs.VALIDATE_KUBERNETES_KUBEVAL || inputs.VALIDATE_GITHUB_ACTIONS || inputs.VALIDATE_CHECKOV || inputs.VALIDATE_GITLEAKS) }}
+        uses: github/super-linter@v7
         env:
           ANSIBLE_CONFIG_FILE: ansible/.ansible-lint.yml
           ANSIBLE_DIRECTORY: ${{ inputs.ANSIBLE_DIRECTORY }}
