name: Terraform security scanner

on:
  workflow_dispatch:
  push:
    branches:
      - main
      - "release/**"
    paths:
      - "**.tf"
      - ".github/workflows/test-tfsec.yml"
  pull_request:
    paths:
      - "**.tf"
      - ".github/workflows/test-tfsec.yml"

jobs:
  tfsec:
    name: tfsec
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: tfsec
        uses: aquasecurity/tfsec-pr-commenter-action@5b483d46fb4fd0cbe2259cf68354a3fb23aa70fe
        with:
          soft_fail_commenter: true
          tfsec_formats: default,text
          tfsec_args: --force-all-dirs
          github_token: ${{ github.token }}

      - name: tfsec summary
        shell: bash
        run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY"