name: Terraform security scanner

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - "**.tf"
  pull_request:
    paths:
      - "**.tf"

permissions:
  contents: read
  pull-requests: write

# Abort runs of *this* workflow, if a new commit with the same ref is pushed.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
  tfsec:
    name: tfsec
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
        with:
          ref: ${{ github.event.pull_request.head.sha }}

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@1015a3975c7f1400ee4d9f423a7786a3df9fcbec
        with:
          tfsec_formats: default,text
          tfsec_args: --force-all-dirs
          github_token: ${{ github.token }}

      - name: tfsec summary
        shell: bash
        run: cat results.text |  tail -n 27 >> $GITHUB_STEP_SUMMARY