Skip to content
aquasecurity

GitHub Action

Run tfsec with sarif upload

v0.1.4 Latest version

Run tfsec with sarif upload

aquasecurity

Run tfsec with sarif upload

Run tfsec against terraform code base and upload the sarif output to the github repo

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Run tfsec with sarif upload

              
  uses: aquasecurity/[email protected]
Learn more about this action in aquasecurity/tfsec-sarif-action

Choose a version

tfsec-sarif-action

Description

This Github Action will run the tfsec sarif check then add the report to the repo for upload.

Example usage

name: tfsec
on:
  push:
    branches:
      - main
  pull_request:
jobs:
  tfsec:
    name: tfsec sarif report
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Clone repo
        uses: actions/checkout@v2
        with:
          persist-credentials: false

      - name: tfsec
        uses: aquasecurity/[email protected]
        with:
          sarif_file: tfsec.sarif          

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: tfsec.sarif

Optional inputs

There are a number of optional inputs that can be used in the with: block.

working_directory - the directory to scan in, defaults to ., ie current working directory

tfsec_version - the version of tfsec to use, defaults to latest

tfsec_args - the args for tfsec to use (space-separated)

config_file - The path to the config file. (eg. ./tfsec.yml)

full_repo_scan - This is the equivalent of running --force-all-dirs and will ensure that a Terraform in the repo will be scanned