CMSgov · mianava · May 6, 2026 · May 5, 2026 · May 6, 2026 · May 6, 2026
@@ -1,4 +1,4 @@
-name: python-checks (alarm-to-slack)
+name: code-checks (alarm-to-slack)
 description: Checks CDAP hosted alarm-to-slack function for python vulnerabilities and code quality.
 
 on:
@@ -8,11 +8,16 @@ on:
       - 'terraform/services/alarm-to-slack/lambda_src/**/*.py'
       - 'terraform/services/alarm-to-slack/lambda_src/**/requirements.txt'
       - 'terraform/modules/function/**'
+      - '.github/workflows/alarm-to-slack-checks.yml'
+      - '.github/workflows/checks-reusable.yml'
 
 jobs:
-  python-checks:
-    uses: ./.github/workflows/python-checks-reusable.yml
+  checks:
+    permissions:
+      id-token: write
+      contents: read
+    uses: ./.github/workflows/checks-reusable.yml
+    secrets: inherit
     with:
       source_path: terraform/services/alarm-to-slack/lambda_src
       sonar_project_key: cdap-alarm-to-slack
-      sonar_project_name: "CDAP Alarm to Slack"
@@ -0,0 +1,28 @@
+name: code-checks (aws-params-env-action)
+description: Leverages sonarqube to scan for quality issues and then gate the workflow success based on any issues.
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+      - '.github/workflows/aws-params-env-action-checks.yml'
+      - '.github/workflows/checks-reusable.yml'
+
+jobs:
+  checks:
+    permissions:
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/checks-reusable.yml
+    secrets: inherit
+    with:
+      source_path: actions/aws-params-env-action
+      node_version: '24'
+      sonar_project_key: cdap-aws-params-env-action
+      sonar_extra_args: >
+        -Dsonar.language=ts
+        -Dsonar.typescript.tsconfigPath=tsconfig.json
+        -Dsonar.tests=__tests__
+        -Dsonar.test.inclusions=**/*.test.ts
@@ -1,29 +1,30 @@
-name: python-checks (reusable)
-description: Workflow that can be called to evaluate any script or folder containing python logic.
+name: code-checks (reusable)
+description: Workflow that can be called to evaluate any script or folder containing python logic. Used in tandem with built-in Snyk integration.
 
 on:
   workflow_call:
     inputs:
       source_path:
-        description: 'Path to the Python source directory to scan'
+        description: 'Path to Python or JavaScript source directory (optional)'
         required: true
         type: string
-      python_version:
-        description: 'Python version to use'
+      node_version:
+        description: 'Node.js version (if source is JavaScript and requires npm install)'
         required: false
         type: string
-        default: '3.14'
+        default: ''
       sonar_project_key:
         description: 'SonarQube project key'
         required: true
         type: string
-      sonar_project_name:
-        description: 'SonarQube project name'
-        required: true
+      sonar_extra_args:
+        description: 'Additional sonar-scanner -D args (optional)'
+        required: false
         type: string
+        default: ''
 
 jobs:
-  python-checks:
+  checks:
     permissions:
       contents: read
       id-token: write
@@ -35,12 +36,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Python ${{ inputs.python_version }}
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
-        with:
-          python-version: ${{ inputs.python_version }}
-          update-environment: true
-
       - name: Assume role to AWS
         uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v4.1.0
         with:
@@ -53,41 +48,34 @@ jobs:
           AWS_REGION: ${{ vars.AWS_REGION }}
         with:
           params: |
-            SNYK_TOKEN=/cdap/${{ github.ref_name == 'main' && 'prod' || 'test' }}/snyk/api_token
             SONAR_HOST_URL=/sonarqube/url
             SONAR_TOKEN=/sonarqube/token
 
-      - name: Install Snyk CLI
-        run: |
-          curl -sSLo /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux-arm64
-          chmod +x /usr/local/bin/snyk
-          snyk --version
-
-      - name: Snyk Dependency Scan (snyk test)
-        run: |
-          REQ="${{ inputs.source_path }}/requirements.txt"
-          if [ -f "$REQ" ]; then
-            echo "[Snyk] Found requirements.txt — running dependency scan..."
-            snyk test --file="$REQ"
-          else
-            echo "[Snyk] No requirements.txt found at $REQ — skipping dependency scan."
-          fi
+      - name: Setup node for Sonarqube analysis of compiled typescript
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: ${{ inputs.node_version }}
 
-      - name: Snyk Code Scan (snyk code test)
-        continue-on-error: true
-        run: snyk code test ${{ inputs.source_path }} --include="**/*.py"
+      - name: Install Node dependencies
+        if: inputs.node_version != ''
+        working-directory: ${{ inputs.source_path }}
+        run: npm ci
 
       - name: Run SonarQube Scan
+        if: inputs.source_path != '' && inputs.sonar_project_key != ''
         uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0
         with:
+          projectBaseDir: ${{ inputs.source_path }}
           args: >
             -Dsonar.projectKey=${{ inputs.sonar_project_key }}
-            -Dsonar.projectName=${{ inputs.sonar_project_name }}
-            -Dsonar.sources=${{ inputs.source_path }}
-            -Dsonar.language=py
-            -Dsonar.python.version=${{ inputs.python_version }}
-            -Dsonar.exclusions=**/__pycache__/**,**/*.pyc,**/.terraform/**
+            -Dsonar.projectName=${{ inputs.sonar_project_key }}
+            -Dsonar.sources=.
+            -Dsonar.ci.autoconfig.disabled=true
+            -Dsonar.exclusions=**/__pycache__/**,**/*.pyc,**/.terraform/**,**/node_modules/**,**/dist/**,**/lib/**
 
-      - name: Quality Gate Check
+      - name: SonarQube Quality Gate Check
+        if: inputs.source_path != '' && inputs.sonar_project_key != ''
         uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b # v1.2.0
         timeout-minutes: 5
+        with:
+          scanMetadataReportFile: ${{ inputs.source_path }}/.scannerwork/report-task.txt
@@ -1,4 +1,4 @@
-name: set-log-retention-checks (cloudwatch log retention)
+name: code-checks (set-log-retention-checks / cloudwatch log retention)
 description: Checks CDAP hosted check-log-retention for python vulnerabilities and code quality.
 
 on:
@@ -8,11 +8,16 @@ on:
       - 'scripts/set_log_retention/*.py'
       - 'scripts/set_log_retention/requirements.txt'
       - 'terraform/modules/function/**'
+      - '.github/workflows/set-log-retention-checks.yml'
+      - '.github/workflows/checks-reusable.yml'
 
 jobs:
-  python-checks:
-    uses: ./.github/workflows/python-checks-reusable.yml
+  checks:
+    permissions:
+      id-token: write
+      contents: read
+    uses: ./.github/workflows/checks-reusable.yml
+    secrets: inherit
     with:
       source_path: scripts/set_log_retention
       sonar_project_key: cdap-set-log-retention
-      sonar_project_name: "CDAP Set Log Retention"