├── Dockerfile ├── LICENSE ├── README.md ├── action.yml └── entrypoint.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.16.2 2 | 3 | RUN apk --no-cache --update add bash wget git mercurial 4 | 5 | SHELL ["/bin/bash", "-eo", "pipefail", "-c"] 6 | 7 | COPY entrypoint.sh /entrypoint.sh 8 | ADD https://github.com/aquasecurity/tfsec/releases/download/v1.28.1/tfsec-linux-amd64 . 9 | RUN install tfsec-linux-amd64 /usr/local/bin/tfsec 10 | 11 | ENTRYPOINT ["/entrypoint.sh"] 12 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Liam Galvin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tfsec-sarif-action 2 | 3 | ## Description 4 | 5 | This Github Action will run the tfsec sarif check then add the report to the repo for upload. 6 | 7 | Example usage 8 | 9 | ```yaml 10 | name: tfsec 11 | on: 12 | push: 13 | branches: 14 | - main 15 | pull_request: 16 | jobs: 17 | tfsec: 18 | name: tfsec sarif report 19 | runs-on: ubuntu-latest 20 | permissions: 21 | actions: read 22 | contents: read 23 | security-events: write 24 | steps: 25 | - name: Clone repo 26 | uses: actions/checkout@v2 27 | with: 28 | persist-credentials: false 29 | 30 | - name: tfsec 31 | uses: aquasecurity/tfsec-sarif-action@v0.1.0 32 | with: 33 | sarif_file: tfsec.sarif 34 | 35 | - name: Upload SARIF file 36 | uses: github/codeql-action/upload-sarif@v1 37 | with: 38 | # Path to SARIF file relative to the root of the repository 39 | sarif_file: tfsec.sarif 40 | ``` 41 | 42 | ## Optional inputs 43 | There are a number of optional inputs that can be used in the `with:` block. 44 | 45 | **working_directory** - the directory to scan in, defaults to `.`, ie current working directory 46 | 47 | **tfsec_version** - the version of tfsec to use, defaults to `latest` 48 | 49 | **tfsec_args** - the args for tfsec to use (space-separated) 50 | 51 | **config_file** - The path to the config file. (eg. ./tfsec.yml) 52 | 53 | **full_repo_scan** - This is the equivalent of running `--force-all-dirs` and will ensure that a Terraform in the repo will be scanned 54 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Run tfsec with sarif upload" 2 | description: "Run tfsec against terraform code base and upload the sarif output to the github repo" 3 | author: "Owen Rumney" 4 | 5 | inputs: 6 | working_directory: 7 | description: | 8 | Directory to run the action on, from the repo root. 9 | Default is . ( root of the repository) 10 | default: "." 11 | required: false 12 | sarif_file: 13 | description: The path to write the sarif report, defaults to tfsec.sarif 14 | default: tfsec.sarif 15 | required: false 16 | tfvars_file: 17 | description: The tfvars file to use for the scan 18 | required: false 19 | tfsec_version: 20 | description: The version of tfsec to use for the scan, defaults to latest 21 | default: latest 22 | required: false 23 | config_file: 24 | description: The path to the config file. (eg. ./tfsec.yml) 25 | required: false 26 | tfsec_args: 27 | description: | 28 | Space seperated args specified here will be added during tfsec execution. 29 | (eg. --verbose) 30 | required: false 31 | full_repo_scan: 32 | description: Scan the entire repository for Terraform issues 33 | required: false 34 | 35 | outputs: 36 | tfsec-return-code: 37 | description: "tfsec command return code" 38 | runs: 39 | using: "docker" 40 | image: "Dockerfile" 41 | branding: 42 | icon: "search" 43 | color: "gray-dark" 44 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -xe 4 | 5 | # Check for a github workkspace, exit if not found 6 | if [ -n "${GITHUB_WORKSPACE}" ]; then 7 | cd "${GITHUB_WORKSPACE}" || exit 8 | fi 9 | 10 | # default to latest 11 | TFSEC_VERSION="latest" 12 | 13 | # if INPUT_TFSEC_VERSION set and not latest 14 | if [[ -n "${INPUT_TFSEC_VERSION}" && "$INPUT_TFSEC_VERSION" != "latest" ]]; then 15 | TFSEC_VERSION="tags/${INPUT_TFSEC_VERSION}" 16 | fi 17 | 18 | # # Pull https://api.github.com/repos/aquasecurity/tfsec/releases for the full list of releases. NOTE no trailing slash 19 | # wget --inet4-only -O - -q "$(wget --inet4-only -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec-linux-amd64 20 | # wget --inet4-only -O - -q "$(wget --inet4-only -q https://api.github.com/repos/aquasecurity/tfsec/releases/${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec_checksums.txt" | head -n1)" > tfsec.checksums 21 | 22 | # # pipe out the checksum and validate 23 | # grep tfsec-linux-amd64 tfsec.checksums > tfsec-linux-amd64.checksum 24 | # sha256sum -c tfsec-linux-amd64.checksum 25 | # install tfsec-linux-amd64 /usr/local/bin/tfsec 26 | 27 | # if input vars file then add to arguments 28 | if [ -n "${INPUT_TFVARS_FILE}" ]; then 29 | echo "Using tfvars file ${INPUT_TFVARS_FILE}" 30 | TFVARS_OPTION="--tfvars-file ${INPUT_TFVARS_FILE}" 31 | fi 32 | 33 | # if config file passed, add config to the arguments 34 | if [ -n "${INPUT_CONFIG_FILE}" ]; then 35 | echo "Using config file ${INPUT_CONFIG_FILE}" 36 | CONFIG_FILE_OPTION="--config-file ${INPUT_CONFIG_FILE}" 37 | fi 38 | 39 | # if any additional args included, add them on 40 | if [ -n "${INPUT_TFSEC_ARGS}" ]; then 41 | echo "Using specified args: ${INPUT_TFSEC_ARGS}" 42 | TFSEC_ARGS_OPTION="${INPUT_TFSEC_ARGS}" 43 | fi 44 | 45 | # if set, all dirs to be included, 46 | if [ -n "${INPUT_FULL_REPO_SCAN}" ]; then 47 | echo "Forcing all directories to be scanned" 48 | TFSEC_ARGS_OPTION="--force-all-dirs ${TFSEC_ARGS_OPTION}" 49 | fi 50 | 51 | 52 | # prime the sarif file with empty results 53 | echo {} > ${INPUT_SARIF_FILE} 54 | 55 | tfsec --soft-fail --out=${INPUT_SARIF_FILE} --format=sarif ${TFSEC_ARGS_OPTION} ${CONFIG_FILE_OPTION} ${TFVARS_OPTION} "${INPUT_WORKING_DIRECTORY}" 56 | 57 | tfsec_return="${PIPESTATUS[0]}" exit_code=$? 58 | 59 | echo "tfsec-return-code=${tfsec_return}" >> $GITHUB_OUTPUT 60 | --------------------------------------------------------------------------------