Add IaC security scanning gates to platform CI

[tukue]

Motivation

• Enable enforceable IaC security scanning in the platform CI pipeline so pull requests surface actionable findings and publish SARIF results to GitHub.
• Strengthen static analysis by preventing soft-fail behavior and adding an additional IaC configuration scanner to reduce false negatives.
• Document the expanded CI coverage in the repository overview to make the security gates visible to contributors.

Description

• Added security-events: write permission and enhanced .github/workflows/platform-iac-ci.yml to run Checkov with soft_fail: false, emit SARIF output, upload the SARIF using github/codeql-action/upload-sarif@v3, and run a Trivy IaC config scan that fails on HIGH/CRITICAL findings.
• Updated README.md to note that CI includes build/test/synth + Checkov + Trivy security scans.
• Modified files: .github/workflows/platform-iac-ci.yml and README.md.
• No additional skills from AGENTS.md were used for this change.

Testing

• Ran npm ci and the command completed successfully.
• Ran npm run build and the TypeScript build completed successfully.
• Ran npm test -- --ci and all unit and snapshot tests passed.
• Ran npm run synth and CDK synth completed successfully.

---

Codex Task

[amazon-q-developer]

Summary

This PR successfully implements IaC security scanning gates in the CI pipeline. The changes enable enforceable security checks via Checkov and Trivy with SARIF reporting to GitHub Security.

Critical Issues Found: 2

1. Pipeline Failure Risk: Missing continue-on-error: true on SARIF upload could block the pipeline if upload fails
2. Type Mismatch: Trivy exit-code uses string '1' instead of numeric 1

Changes Reviewed

• ✅ Added security-events permission for SARIF uploads
• ✅ Configured Checkov with soft_fail: false for enforcement
• ✅ Added SARIF output and upload integration
• ✅ Added Trivy IaC scanning for additional coverage
• ✅ Updated README to reflect actual CI steps

The implementation is sound but requires the two fixes above to ensure reliable pipeline operation.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Pipeline Failure Risk: The SARIF upload will fail if Checkov doesn't generate the results.sarif file before exiting with a failure status. Add continue-on-error: true to prevent upload failures from blocking the pipeline, since the primary security gate is Checkov itself. The upload is for visibility, not enforcement.

Suggested change

	- name: Upload Checkov SARIF report
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: results.sarif
	- name: Upload Checkov SARIF report
	if: always()
	continue-on-error: true
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: results.sarif

[amazon-q-developer]

🛑 Type Mismatch: The exit-code parameter expects a numeric value but receives a string '1'. While some action versions may coerce this, using the numeric value ensures consistent behavior across all versions and prevents potential issues where the string is interpreted as truthy rather than as the exit code 1.

Suggested change

	- name: Static security scan (Trivy IaC misconfigurations)
	uses: aquasecurity/trivy-action@0.24.0
	with:
	scan-type: config
	scan-ref: .
	hide-progress: true
	severity: CRITICAL,HIGH
	exit-code: '1'
	- name: Static security scan (Trivy IaC misconfigurations)
	uses: aquasecurity/trivy-action@0.24.0
	with:
	scan-type: config
	scan-ref: .
	hide-progress: true
	severity: CRITICAL,HIGH
	exit-code: 1

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.