├── .github └── workflows │ ├── CI.yml │ ├── MasterCI.yml │ └── UpdateFloatingTag.yml ├── CODE_OF_CONDUCT.md ├── Dockerfile ├── LICENSE ├── README.md ├── action.yml ├── entrypoint.sh └── test └── main.tf /.github/workflows/CI.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | pull_request: 5 | branches: [ master ] 6 | 7 | jobs: 8 | shellcheck: 9 | name: CI 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v2 13 | - name: ShellCheck 14 | uses: ludeeus/action-shellcheck@0.4.1 15 | -------------------------------------------------------------------------------- /.github/workflows/MasterCI.yml: -------------------------------------------------------------------------------- 1 | name: Master CI 2 | on: 3 | push: 4 | branches: [ master ] 5 | 6 | jobs: 7 | CI: 8 | name: CI 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | - name: ShellCheck 13 | uses: ludeeus/action-shellcheck@0.4.1 14 | - name: Terraform security scan 15 | uses: triat/terraform-security-scan@master 16 | with: 17 | tfsec_actions_comment: false 18 | tfsec_actions_working_dir: "test/" 19 | tfsec_exclude: "AWS018,AWS006,AWS004,AWS003,AZU003,aws-ec2-add-description-to-security-group-rule,aws-ec2-no-public-ingress-sgr" 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 22 | -------------------------------------------------------------------------------- /.github/workflows/UpdateFloatingTag.yml: -------------------------------------------------------------------------------- 1 | name: 'Update major version tag' 2 | 3 | on: 4 | release: 5 | types: [created, published] 6 | 7 | jobs: 8 | # updates the floating tag alias for the major version. 9 | release: 10 | runs-on: 'ubuntu-latest' 11 | steps: 12 | - name: Parse higher semantic versions 13 | id: semver 14 | shell: bash 15 | run: | 16 | TAG="${{ github.ref_name }}" 17 | MINOR="${TAG%.*}" 18 | MAJOR="${MINOR%.*}" 19 | echo "::set-output name=major::$(echo $MAJOR)" 20 | echo "::set-output name=minor::$(echo $MINOR)" 21 | - name: 'Update major version tag' 22 | uses: 'actions/github-script@v5' 23 | with: 24 | script: |- 25 | const sha = '${{ github.sha }}' 26 | const major = '${{ steps.semver.outputs.major }}'; 27 | // Try to update the ref first. If that fails, it probably does not 28 | // exist yet, and we should create it. 29 | try { 30 | await github.rest.git.updateRef({ 31 | owner: context.repo.owner, 32 | repo: context.repo.repo, 33 | ref: `tags/${major}`, 34 | sha: sha, 35 | force: true, 36 | }); 37 | core.info(`Updated ${major} to ${sha}`); 38 | } catch(err) { 39 | core.warning(`Failed to create ${major}: ${err}`); 40 | await github.rest.git.createRef({ 41 | owner: context.repo.owner, 42 | repo: context.repo.repo, 43 | ref: `refs/tags/${major}`, 44 | sha: sha, 45 | }); 46 | core.info(`Created ${major} at ${sha}`); 47 | } 48 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at tom@riat.dev. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # pinned version of the Alpine-tagged 'go' image 2 | FROM golang:1.23-alpine 3 | 4 | # install requirements 5 | RUN apk add --update --no-cache bash ca-certificates curl jq 6 | 7 | COPY entrypoint.sh /entrypoint.sh 8 | # set the default entrypoint -- when this container is run, use this command 9 | ENTRYPOINT ["/entrypoint.sh"] 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Tom Riat 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![Master CI](https://github.com/triat/terraform-security-scan/workflows/Master%20CI/badge.svg?branch=master) 2 | # Terraform security check action 3 | 4 | This action runs https://github.com/tfsec/tfsec on `$GITHUB_WORKSPACE`. This is a security check on your terraform repository. 5 | 6 | The action requires the https://github.com/actions/checkout before to download the content of your repo inside the docker. 7 | 8 | ## Inputs 9 | 10 | * `tfsec_actions_comment` - (Optional) Whether or not to comment on GitHub pull requests. Defaults to `true`. 11 | * `tfsec_actions_working_dir` - (Optional) Terraform working directory location. Defaults to `'.'`. 12 | * `tfsec_exclude` - (Optional) Provide checks via `,` without space to exclude from run. No default 13 | * `tfsec_version` - (Optional) Specify the version of tfsec to install. Defaults to the latest 14 | * `tfsec_output_format` - (Optional) The output format: default, json, csv, checkstyle, junit, sarif (check `tfsec` for an extensive list) 15 | * `tfsec_output_file` - (Optional) The name of the output file 16 | 17 | ## Outputs 18 | 19 | None 20 | 21 | ## Example usage 22 | 23 | ```yaml 24 | steps: 25 | - uses: actions/checkout@v2 26 | - uses: triat/terraform-security-scan@v3 27 | ``` 28 | The above example uses a tagged version (`v3`), you can also opt to use any of the released version. 29 | 30 | To allow the action to add a comment to a PR when it fails you need to append the `GITHUB_TOKEN` variable to the tfsec action: 31 | 32 | ```yaml 33 | env: 34 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 35 | ``` 36 | 37 | Full example: 38 | 39 | ```yaml 40 | jobs: 41 | tfsec: 42 | name: tfsec 43 | runs-on: ubuntu-latest 44 | steps: 45 | - name: Checkout 46 | uses: actions/checkout@v2 47 | - name: Terraform security scan 48 | uses: triat/terraform-security-scan@v3.0.0 49 | env: 50 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 51 | ``` 52 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | # action.yml 2 | name: 'Terraform security scan' 3 | description: 'Scan your terraform code with tfsec' 4 | inputs: 5 | tfsec_actions_comment: 6 | description: 'Whether or not to comment on pull requests.' 7 | required: false 8 | default: true 9 | tfsec_actions_working_dir: 10 | description: 'Terraform working directory.' 11 | required: false 12 | default: '.' 13 | tfsec_exclude: 14 | description: 'Provide checks via , without space to exclude from run' 15 | required: false 16 | tfsec_version: 17 | description: 'Specify the version of tfsec to install' 18 | required: false 19 | tfsec_output_format: 20 | description: 'The output format: default, json, csv, checkstyle, junit, sarif (check `tfsec` for an extensive list)' 21 | required: false 22 | tfsec_output_file: 23 | description: 'The name of the output file' 24 | required: false 25 | runs: 26 | using: 'docker' 27 | image: './Dockerfile' 28 | branding: 29 | icon: 'shield' 30 | color: 'gray-dark' 31 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # set working directory 4 | if [ "${INPUT_TFSEC_ACTIONS_WORKING_DIR}" != "" ] && [ "${INPUT_TFSEC_ACTIONS_WORKING_DIR}" != "." ]; then 5 | TFSEC_WORKING_DIR="/github/workspace/${INPUT_TFSEC_ACTIONS_WORKING_DIR}" 6 | else 7 | TFSEC_WORKING_DIR="/github/workspace/" 8 | fi 9 | 10 | # grab tfsec from GitHub (taken from README.md) 11 | if [[ -n "$INPUT_TFSEC_VERSION" ]]; then 12 | env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@"${INPUT_TFSEC_VERSION}" 13 | else 14 | env GO111MODULE=on go install github.com/aquasecurity/tfsec/cmd/tfsec@latest 15 | fi 16 | 17 | if [[ -n "$INPUT_TFSEC_EXCLUDE" ]]; then 18 | TFSEC_OUTPUT=$(/go/bin/tfsec ${TFSEC_WORKING_DIR} --no-colour -e "${INPUT_TFSEC_EXCLUDE}" ${INPUT_TFSEC_OUTPUT_FORMAT:+ -f "$INPUT_TFSEC_OUTPUT_FORMAT"} ${INPUT_TFSEC_OUTPUT_FILE:+ --out "$INPUT_TFSEC_OUTPUT_FILE"}) 19 | else 20 | TFSEC_OUTPUT=$(/go/bin/tfsec ${TFSEC_WORKING_DIR} --no-colour ${INPUT_TFSEC_OUTPUT_FORMAT:+ -f "$INPUT_TFSEC_OUTPUT_FORMAT"} ${INPUT_TFSEC_OUTPUT_FILE:+ --out "$INPUT_TFSEC_OUTPUT_FILE"}) 21 | fi 22 | TFSEC_EXITCODE=${?} 23 | 24 | # Exit code of 0 indicates success. 25 | if [ ${TFSEC_EXITCODE} -eq 0 ]; then 26 | TFSEC_STATUS="Success" 27 | else 28 | TFSEC_STATUS="Failed" 29 | fi 30 | 31 | # Print output. 32 | echo "${TFSEC_OUTPUT}" 33 | 34 | # Comment on the pull request if necessary. 35 | if [ "${INPUT_TFSEC_ACTIONS_COMMENT}" == "1" ] || [ "${INPUT_TFSEC_ACTIONS_COMMENT}" == "true" ]; then 36 | TFSEC_COMMENT=1 37 | else 38 | TFSEC_COMMENT=0 39 | fi 40 | 41 | if [ "${GITHUB_EVENT_NAME}" == "pull_request" ] && [ -n "${GITHUB_TOKEN}" ] && [ "${TFSEC_COMMENT}" == "1" ] && [ "${TFSEC_EXITCODE}" != "0" ]; then 42 | COMMENT="#### \`Terraform Security Scan\` ${TFSEC_STATUS} 43 |
Show Output 44 | 45 | \`\`\`hcl 46 | ${TFSEC_OUTPUT} 47 | \`\`\` 48 | 49 |
" 50 | PAYLOAD=$(echo "${COMMENT}" | jq -R --slurp '{body: .}') 51 | URL=$(jq -r .pull_request.comments_url "${GITHUB_EVENT_PATH}") 52 | echo "${PAYLOAD}" | curl -s -S -H "Authorization: token ${GITHUB_TOKEN}" --header "Content-Type: application/json" --data @- "${URL}" > /dev/null 53 | fi 54 | 55 | exit $TFSEC_EXITCODE 56 | -------------------------------------------------------------------------------- /test/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_security_group_rule" "my-rule" { 2 | type = "ingress" 3 | cidr_blocks = ["0.0.0.0/0"] 4 | } 5 | 6 | resource "aws_alb_listener" "my-valid-alb-listener"{ 7 | port = "80" 8 | protocol = "HTTPS" 9 | } 10 | 11 | resource "aws_alb_listener" "my-wrong-alb-listener"{ 12 | port = "80" 13 | protocol = "HTTP" 14 | } 15 | 16 | resource "aws_db_security_group" "my-group" { 17 | 18 | } 19 | 20 | variable "enableEncryption" { 21 | default = false 22 | } 23 | 24 | resource "azurerm_managed_disk" "source" { 25 | encryption_settings { 26 | enabled = var.enableEncryption 27 | } 28 | } 29 | --------------------------------------------------------------------------------