Add checkov

.github/workflows/checkov.yaml

@@ -0,0 +1,37 @@
+name: Checkov
+
+on:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  checkov-job:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: none
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@master
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@0549dc60bddd4c55cb85c6c3a07072e3cf2ca48e
+        with:
+          skip_check: CKV_DOCKER_2,CKV_DOCKER_3
+          quiet: true
+          output_format: cli,sarif
+          output_file_path: console,results.sarif
+          download_external_modules: true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif

.github/workflows/main.yaml

@@ -2,6 +2,8 @@ name: Lint
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   black:
     runs-on: ubuntu-latest

.github/workflows/no_debug_allowed.yaml

@@ -2,6 +2,8 @@ name: Make sure Debug mode is OFF!
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   is-debug-off:
     runs-on: ubuntu-latest

.github/workflows/no_forgoten_migrations.yaml

@@ -2,6 +2,8 @@ name: Make sure to run manage.py makemigrations if you change models
 
 on: [pull_request]
 
+permissions: read-all
+
 jobs:
   is-migration-diff-clean:
     runs-on: ubuntu-latest

.github/workflows/publish-and-deploy.yaml

@@ -5,6 +5,8 @@ on:
   push:
     branches: [ main ]
 
+permissions: read-all
+
 jobs:
   push_to_registry:
     name: Push Docker Image to Docker Hub

.github/workflows/run_django_tests.yaml

@@ -3,6 +3,8 @@ name: Run Django Tests
 on: 
   pull_request:
 
+permissions: read-all
+
 jobs:
   run-django-tests:
     runs-on: ubuntu-latest