Skip to content

GitHub Action

What is it?

Github security alerts sit on the Security tab in your github project and detail any security issues that have been found.

tfsec can enrich this information, annotating the exact areas in the code base for a given branch with the details of the failure and the severity.

We have provided an action which can be used in your github repo with very little effort.

Adding the action

Github Actions make it easy to add functionality; to add an action, go to the Action tab to create a new workflow and choose to Set up a workflow yourself.

Setup a new workflow

Paste in the workflow content below (be sure to check you're using the latest version of the tfsec-sarif-action by checking here)

name: tfsec
on:
  push:
    branches:
      - main
  pull_request:
jobs:
  tfsec:
    name: tfsec sarif report
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@main

      - name: tfsec
        uses: tfsec/tfsec-sarif-action@master
        with:
          sarif_file: tfsec.sarif         

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: tfsec.sarif    

What is this doing?

Basically, this action is starting a new ubuntu github action container and checking out the code for either the pull request or the push to master/main.

Once the code has been checked out, tfsec with process everything in the local path and generate a sarif report.

Finally, the sarif report will be uploaded and the Security tab updated with the identified checks.

It will look something like;

Code Scanning

Anything else I should know?

If you have code that is deeper in the github repo, you can use working_directory for the action;

- name: tfsec
  uses: tfsec/tfsec-sarif-action@v0.0.3
  with:
    working_directory: terraform/relevant
    sarif_file: tfsec.sarif         
    github_token: ${{ secrets.GITHUB_TOKEN }}

This will target the checks to all folders under terraform/relevant