Enhance IaC CI: Checkov SARIF upload, Trivy IaC scan, workflow permissions, and pod securityContext

[tukue]

Motivation

• Improve IaC security scanning and reporting by producing SARIF output and uploading it to GitHub code scanning.
• Add an additional misconfiguration scanner (Trivy) to catch high/critical IaC issues in the GitOps base.
• Ensure CI has the permissions required to emit security findings and make security checks strict.
• Harden the sample Kubernetes workload with pod-level security settings to meet guardrails and detector expectations.

Description

• Updated .github/workflows/platform-iac-ci.yml to grant security-events: write permission and to configure Checkov with soft_fail: false, output_format: cli,sarif, and output_file_path: console,results.sarif.
• Added a step to upload the generated Checkov SARIF report using github/codeql-action/upload-sarif@v4 and a Trivy IaC misconfiguration scan step using aquasecurity/trivy-action@v0.35.0 with scan-type: config, scan-ref: applications/gitops/base, severity: CRITICAL,HIGH, and exit-code: '1'.
• Updated README.md pipeline description to mention the new Checkov + Trivy security scans and clarified the CI content to include build/test/synth + security checks.
• Hardened applications/gitops/base/sample-service.yaml by adding a pod securityContext with runAsNonRoot: true and seccompProfile: type: RuntimeDefault to align with secure-by-default guardrails.

Testing

• No automated CI run was executed for this PR; the updated CI defines the following automated checks to run on pull requests: npm ci, npm run build, npm test -- --ci, npm run synth, Checkov scan (with SARIF output), SARIF upload, and Trivy IaC config scan.
• These checks will run when the workflow is triggered on the main branch PR paths and will fail the run on detection of Checkov or Trivy issues due to soft_fail: false and exit-code: '1' respectively.

---

Codex Task

[amazon-q-developer]

Review Summary

This PR enhances IaC CI security scanning capabilities and hardens the Kubernetes workload configuration. The approach is solid, but there are 2 critical issues that must be addressed before merge:

Critical Issues

1. Pod crash risk: The nginx image runs as root by default, conflicting with runAsNonRoot: true securityContext
2. CI reliability: Missing error handling for SARIF upload could mask Checkov findings

Positive Changes

• Added comprehensive security scanning with Checkov SARIF output and Trivy IaC scanning
• Proper GitHub security-events permissions for code scanning integration
• Added pod-level security hardening with seccomp profile

Please address the blocking issues identified in the inline comments.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Crash Risk: Pod will fail to start because nginx:1.27.0 runs as root by default, but pod securityContext enforces runAsNonRoot: true. Change to nginx:1.27.0-alpine-slim or add runAsUser/runAsGroup with a non-root UID (e.g., 101) to the pod securityContext, or use an nginx image variant that runs as non-root by default.

Suggested change

	securityContext:
	runAsNonRoot: true
	seccompProfile:
	type: RuntimeDefault
	securityContext:
	runAsNonRoot: true
	runAsUser: 101
	runAsGroup: 101
	seccompProfile:
	type: RuntimeDefault

[amazon-q-developer]

Add continue-on-error: true to prevent upload failures from masking actual Checkov security findings when the SARIF file doesn't exist or upload service is unavailable.

Suggested change

	- name: Upload Checkov SARIF report
	if: always()
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: results.sarif
	- name: Upload Checkov SARIF report
	if: always()
	continue-on-error: true
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: results.sarif