From 1041486155801940aa608851b2753d863b4b48c0 Mon Sep 17 00:00:00 2001
From: Colin Daglish <colin.daglish@ons.gov.uk>
Date: Tue, 24 Mar 2026 15:21:15 +0000
Subject: [PATCH 1/2] chore(ci): disable trivy and update workflow to use
 commit sha pinned versions of actions.

---
 .github/workflows/ci.yaml | 69 +++++++++++++++++++++++++++------------
 1 file changed, 49 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 2e4e96a..ea0bcbc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,32 +1,61 @@
-name: CI Security Scan
-permissions:
-  contents: read
+name: CI
 
 on:
   push:
-    branches:
-      - main
   pull_request:
-    branches:
-      - main
+    branches: ["main"]
+
+env:
+  TERRAFORM_VERSION: "1.13.5" # terraform version
+
+permissions:
+  contents: read
 
 jobs:
-  security-scan:
+  tf-fmt:
+    name: Terraform fmt
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v6.0.2
-
-
-      - name: Run Checkov
-        uses: bridgecrewio/checkov-action@v12
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+      - name: Run terraform fmt
+        run: terraform fmt -recursive -check -diff
+  # TEMPORARILY DISABLED DUE TO SECURITY INCIDENT
+  # trivy:
+  #   name: trivy
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #     - name: Trivy scan
+  #       uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
+  #       with:
+  #         scan-type: fs
+  #         scan-ref: .
+  #         trivy-config: configs/trivy.yaml
+  checkov:
+    name: Checkov
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Checkov scan
+        uses: bridgecrewio/checkov-action@2fd3901c8feb52417f27f0d9800259a106c1ec1e # v12
         with:
           directory: .
           config_file: configs/checkov.yml
 
-      - name: Run Trivy on repo
-        uses: aquasecurity/trivy-action@0.35.0
-        with:
-          scan-type: fs
-          path: .
-          trivy-config: configs/trivy.yaml
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: TFLint scan
+        uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2
+      - name: Run TFLint
+        run: tflint --config=configs/.tflint.hcl

From 931957585311b705d0c2cb20953fe20cfb317216 Mon Sep 17 00:00:00 2001
From: Colin Daglish <colin.daglish@ons.gov.uk>
Date: Tue, 24 Mar 2026 15:24:04 +0000
Subject: [PATCH 2/2] chore: add initial .tflint.hcl configuration file

---
 configs/.tflint.hcl | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 configs/.tflint.hcl

diff --git a/configs/.tflint.hcl b/configs/.tflint.hcl
new file mode 100644
index 0000000..9a24356
--- /dev/null
+++ b/configs/.tflint.hcl
@@ -0,0 +1,6 @@
+config {
+  format = "default"
+  call_module_type = "none"
+  force = false
+  disabled_by_default = false
+}